Skip to content

T1202 Indirect Command Execution

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), Scriptrunner.exe, as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts.73561 Adversaries may also abuse the ssh.exe binary to execute malicious commands via the ProxyCommand and LocalCommand options, which can be invoked via the -o flag or by modifying the SSH config file.2

Adversaries may abuse these features for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd or file extensions more commonly associated with malicious payloads.

Item Value
ID T1202
Sub-techniques
Tactics TA0005
Platforms Windows
Version 1.3
Created 18 April 2018
Last Modified 24 October 2025

Procedure Examples

ID Name Description
S0193 Forfiles Forfiles can be used to subvert controls and possibly conceal command execution by not directly invoking cmd.73
G0032 Lazarus Group Lazarus Group persistence mechanisms have used forfiles.exe to execute .htm files.9
G1039 RedCurl RedCurl has used pcalua.exe to obfuscate binary execution and remote connections.10
S0379 Revenge RAT Revenge RAT uses the Forfiles utility to execute commands on the system.8

References

  1. Bill Toulas. (2023, January 4). Hackers abuse Windows error reporting tool to deploy malware. Retrieved July 8, 2024. 

  2. Cyble. (2024, December 5). Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot. Retrieved February 4, 2025. 

  3. Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved September 12, 2024. 

  4. Partington, E. (2017, August 14). Are you looking out for forfiles.exe (if you are watching for cmd.exe). Retrieved January 22, 2018. 

  5. Secure Team - Information Assurance. (2023, January 8). Windows Error Reporting Tool Abused to Load Malware. Retrieved July 8, 2024. 

  6. SS64. (n.d.). ScriptRunner.exe. Retrieved July 8, 2024. 

  7. vector_sec. (2017, August 11). Defenders watching launches of cmd? What about forfiles?. Retrieved September 12, 2024. 

  8. Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved November 17, 2024. 

  9. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. 

  10. Tancio et al. (2024, March 6). Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence. Retrieved August 9, 2024.