Skip to content

T1202 Indirect Command Execution

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts. 3 1

Adversaries may abuse these features for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd or file extensions more commonly associated with malicious payloads.

Item Value
ID T1202
Tactics TA0005
Platforms Windows
Version 1.1
Created 18 April 2018
Last Modified 05 May 2022

Procedure Examples

ID Name Description
S0193 Forfiles Forfiles can be used to subvert controls and possibly conceal command execution by not directly invoking cmd.31
G0032 Lazarus Group Lazarus Group persistence mechanisms have used forfiles.exe to execute .htm files.5
S0379 Revenge RAT Revenge RAT uses the Forfiles utility to execute commands on the system.4


ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process Process Creation