Indirect Command Execution

Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command-Line Interface, Run window, or via scripts. [1] [2]

Adversaries may abuse these utilities for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd.

ID: T1202

Tactic: Defense Evasion

Platform:  Windows

Permissions Required:  User

Data Sources:  Process monitoring, Process command-line parameters, Windows event logs

Defense Bypassed:  Application whitelisting, Process whitelisting, Whitelisting by file name or path

Contributors:  Matthew Demaske, Adaptforward

Version: 1.0



Forfiles can be used to subvert controls and possibly conceal command execution by not directly invoking cmd.[1][2]


Identify or block potentially malicious software that may contain abusive functionality by using whitelisting [3] tools, like AppLocker, [4] [5] or Software Restriction Policies [6] where appropriate. [7]. These mechanisms can also be used to disable and/or limit user access to Windows utilities used to invoke execution.


Monitor and analyze logs from host-based detection mechanisms, such as Sysmon, for events such as process creations that include or are resulting from parameters associated with invoking programs/commands and/or spawning child processes. [8]