Register to stream ATT&CKcon 2.0 October 29-30

Indirect Command Execution

Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command-Line Interface, Run window, or via scripts. [1] [2]

Adversaries may abuse these features for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd or file extensions more commonly associated with malicious payloads.

ID: T1202
Tactic: Defense Evasion
Platform: Windows
Permissions Required: User
Data Sources: File monitoring, Process monitoring, Process command-line parameters, Windows event logs
Defense Bypassed: Static File Analysis, Application whitelisting, Process whitelisting, Whitelisting by file name or path
Contributors: Matthew Demaske, Adaptforward
Version: 1.0

Procedure Examples

Name Description
Forfiles Forfiles can be used to subvert controls and possibly conceal command execution by not directly invoking cmd. [1] [2]
Revenge RAT Revenge RAT uses the Forfiles utility to execute commands on the system. [3]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Monitor and analyze logs from host-based detection mechanisms, such as Sysmon, for events such as process creations that include or are resulting from parameters associated with invoking programs/commands/files and/or spawning child processes/network connections. [4]

References