Indirect Command Execution
|Indirect Command Execution|
|Data Sources||Process Monitoring, Process command-line parameters, Windows event logs|
|Defense Bypassed||Application whitelisting, Process whitelisting, Whitelisting by file name or path|
|Contributors||Matthew Demaske, Adaptforward|
Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command-Line Interface, Run window, or via scripts.12
Adversaries may abuse these utilities for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd.
- Forfiles can be used to subvert controls and possibly conceal command execution by not directly invoking cmd.12
Identify or block potentially malicious software that may contain abusive functionality by using whitelisting3 tools, like AppLocker,45 or Software Restriction Policies6 where appropriate.7. These mechanisms can also be used to disable and/or limit user access to Windows utilities used to invoke execution.
Monitor and analyze logs from host-based detection mechanisms, such as Sysmon, for events such as process creations that include or are resulting from parameters associated with invoking programs/commands and/or spawning child processes.8
- vector_sec. (2017, August 11). Defenders watching launches of cmd? What about forfiles?. Retrieved January 22, 2018.
- Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved January 22, 2018.
- Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
- Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
- NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
- Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved November 18, 2014.
- Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.
- Partington, E. (2017, August 14). Are you looking out for forfiles.exe (if you are watching for cmd.exe). Retrieved January 22, 2018.