Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T0853: Scripting

Adversaries may use scripting languages to execute arbitrary code in the form of a pre-written script or in the form of user-supplied code to an interpreter. Scripting languages are programming languages that differ from compiled languages, in that scripting languages use an interpreter, instead of a compiler. These interpreters read and compile part of the source code just before it is executed, as opposed to compilers, which compile each and every line of code to an executable file. Scripting allows software developers to run their code on any system where the interpreter exists. This way, they can distribute one package, instead of precompiling executables for many different systems. Scripting languages, such as Python, have their interpreters shipped as a default with many Linux distributions.

In addition to being a useful tool for developers and administrators, scripting language interpreters may be abused by the adversary to execute code in the target environment. Due to the nature of scripting languages, this allows for weaponized code to be deployed to a target easily, and leaves open the possibility of on-the-fly scripting to perform a task.

ICST0853TechniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Scripting matters in ICS because the same interpreters that help engineers and administrators maintain systems can also let an adversary run arbitrary code without bringing a traditional compiled executable. For business leaders, the concern is not “scripts” in the abstract; it is whether script execution is controlled and visible on systems that support operations, including workstations, HMIs, historians, control servers, application servers, gateways, jump hosts, switches, and firewalls.

Executive priority

Prioritize this as an operational resilience and control-governance issue. Ask which ICS assets are allowed to run scripting interpreters, who can use them, whether script execution is logged, and whether application control or script blocking is enforced where appropriate. ATT&CK maps this technique to notable ICS campaigns, groups, and software, so it is useful for tabletop exercises, audit evidence, and incident-response readiness, but the supplied data does not support any claim of current activity against your environment.

Technical view

SOC, detection engineering, and IR teams should validate coverage around interpreter use, script file creation/modification, and script execution on the ICS asset classes identified in the relationships. Because ATT&CK provides no official detection text and no explicit technique platforms or tactics, teams should not assume coverage from generic endpoint monitoring alone. Use DET0735 as the ATT&CK-linked detection strategy reference, then test whether logs exist and are normalized for workstations, HMIs, historians, control servers, application servers, data gateways, jump hosts, switches, and firewalls where scripting capability exists.

Likely telemetry

  • Process execution records for scripting language interpreters where available
  • Script file creation, modification, and execution metadata
  • Application control, script blocking, and execution-prevention events
  • Administrative and engineering workstation activity logs
  • HMI, historian, control server, and application server audit logs where supported

Detection direction

  • Inventory approved scripting interpreters and compare observed use against expected engineering, administration, and maintenance workflows.
  • Tune detections for scripting on high-consequence ICS assets, especially jump hosts, HMIs, historians, control servers, and application servers.
  • Separate legitimate operational scripts from unusual interactive, user-supplied, or newly introduced scripts to reduce false positives.
  • Correlate script execution with remote access sessions, change windows, asset role, and user identity rather than alerting on interpreter use alone.
  • Validate that DET0735-style detection content is supported by real telemetry in the local environment; ATT&CK does not provide detection detail for this object.

Mitigation priorities

  • Start with necessity: remove or deny access to unnecessary scripting features or programs, aligned to M0942.
  • Apply execution prevention using application control and/or script blocking where operationally safe, aligned to M0938.
  • Use application isolation or sandboxing for code execution paths where scripts must be handled but should not directly affect endpoint systems, aligned to M0948.
  • Define approved scripts, owners, maintenance windows, and change-control evidence for ICS assets that require scripting.
  • Test controls with operations teams before enforcement on safety- or availability-sensitive systems.
Analyst notes and limits

The decision value is in distinguishing legitimate engineering automation from uncontrolled code execution capability. This technique is especially material in ICS because the related assets include operator-facing systems, remote access paths, data collection systems, control-support servers, and network boundary devices. The relationship set also links this behavior to historical ICS campaigns and software, supporting threat-informed validation without implying current targeting.

The supplied ATT&CK object has no official detection guidance, no listed tactics, and no explicit platform list for the technique itself. Platform references come from related ICS assets, not from the technique platform field. Local asset inventory, interpreter inventory, logging configuration, and operational change processes are required to determine actual exposure and detection coverage.

Official MITRE ATT&CK definition

Scripting

Adversaries may use scripting languages to execute arbitrary code in the form of a pre-written script or in the form of user-supplied code to an interpreter. Scripting languages are programming languages that differ from compiled languages, in that scripting languages use an interpreter, instead of a compiler. These interpreters read and compile part of the source code just before it is executed, as opposed to compilers, which compile each and every line of code to an executable file. Scripting allows software developers to run their code on any system where the interpreter exists. This way, they can distribute one package, instead of precompiling executables for many different systems. Scripting languages, such as Python, have their interpreters shipped as a default with many Linux distributions.

In addition to being a useful tool for developers and administrators, scripting language interpreters may be abused by the adversary to execute code in the target environment. Due to the nature of scripting languages, this allows for weaponized code to be deployed to a target easily, and leaves open the possibility of on-the-fly scripting to perform a task.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Group ICS

G0064: APT33

APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.[1][2]

Group ICS

G0049: OilRig

OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]

Malware ICS

S0496: REvil

REvil is a ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ransomware-as-a-service (RaaS) since at least April 2019. REvil, which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.[1][2][3]

Windows
Campaign ICS

C0030: Triton Safety Instrumented System Attack

Triton Safety Instrumented System Attack was a campaign employed by TEMP.Veles which leveraged the Triton malware framework against a petrochemical organization.[1] The malware and techniques used within this campaign targeted specific Triconex Safety Controllers within the environment.[2] The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.[3]

Relationship explorer

All related ATT&CK context

targets · ICS Asset A0009: Data Gateway ICS mitigates · Mitigation M0938: Execution Prevention ICS mitigates · Mitigation M0948: Application Isolation and Sandboxing ICS targets · ICS Asset A0012: Jump Host ICS uses · Campaign C0030: Triton Safety Instrumented System Attack ICS uses · Campaign C0034: 2022 Ukraine Electric Power Attack ICS targets · ICS Asset A0006: Data Historian ICS mitigates · Mitigation M0942: Disable or Remove Feature or Program ICS targets · ICS Asset A0016: Firewall ICS detects · Detection Strategy DET0735: Detection of Scripting ICS uses · Malware S1009: Triton ICS uses · Group G0064: APT33 ICS uses · Campaign C0025: 2016 Ukraine Electric Power Attack ICS targets · ICS Asset A0008: Application Server ICS targets · ICS Asset A0001: Workstation ICS targets · ICS Asset A0007: Control Server ICS uses · Group G0049: OilRig ICS targets · ICS Asset A0002: Human-Machine Interface (HMI) ICS uses · Malware S0496: REvil ICS targets · ICS Asset A0015: Switch ICS
Mitigations

Mitigation direction

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
ac0ca709c0c76bc6...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle ac0ca709c0c7…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack T0853
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use