T1202 Indirect Command Execution
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts. 3 1
Adversaries may abuse these features for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd or file extensions more commonly associated with malicious payloads.
| Item | Value |
|---|---|
| ID | T1202 |
| Sub-techniques | |
| Tactics | TA0005 |
| Platforms | Windows |
| Version | 1.1 |
| Created | 18 April 2018 |
| Last Modified | 05 May 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0193 | Forfiles | Forfiles can be used to subvert controls and possibly conceal command execution by not directly invoking cmd.31 |
| G0032 | Lazarus Group | Lazarus Group persistence mechanisms have used forfiles.exe to execute .htm files.5 |
| S0379 | Revenge RAT | Revenge RAT uses the Forfiles utility to execute commands on the system.4 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0009 | Process | Process Creation |
References
-
Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved January 22, 2018. ↩↩
-
Partington, E. (2017, August 14). Are you looking out for forfiles.exe (if you are watching for cmd.exe). Retrieved January 22, 2018. ↩
-
vector_sec. (2017, August 11). Defenders watching launches of cmd? What about forfiles?. Retrieved January 22, 2018. ↩↩
-
Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019. ↩
-
Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. ↩