Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe
), components of the Windows Subsystem for Linux (WSL), Scriptrunner.exe
, as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts.[1][2][3][4][5] Adversaries may also abuse the ssh.exe
binary to execute malicious commands via the ProxyCommand
and LocalCommand
options, which can be invoked via the -o
flag or by modifying the SSH config file.[6]
Adversaries may abuse these features for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd or file extensions more commonly associated with malicious payloads.
ID | Name | Description |
---|---|---|
S0193 | Forfiles |
Forfiles can be used to subvert controls and possibly conceal command execution by not directly invoking cmd.[1][2] |
G0032 | Lazarus Group |
Lazarus Group persistence mechanisms have used |
G1039 | RedCurl |
RedCurl has used pcalua.exe to obfuscate binary execution and remote connections.[8] |
S0379 | Revenge RAT |
Revenge RAT uses the Forfiles utility to execute commands on the system.[9] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor executed commands and arguments to bypass security restrictions that limit the use of command-line interpreters. Look for suspicious command-line arguments, such as |
DS0009 | Process | Process Creation |
Monitor for newly constructed processes and/or command-lines that can be used instead of invoking cmd (i.e. |