Indirect Command Execution

From enterprise
Jump to: navigation, search
Indirect Command Execution
Technique
ID T1202
Tactic Defense Evasion
Platform Windows
Permissions Required User
Data Sources Process Monitoring, Process command-line parameters, Windows event logs
Defense Bypassed Application whitelisting, Process whitelisting, Whitelisting by file name or path
Contributors Matthew Demaske, Adaptforward

Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command-Line Interface, Run window, or via scripts.12

Adversaries may abuse these utilities for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd.

Examples

  • Forfiles can be used to subvert controls and possibly conceal command execution by not directly invoking cmd.12

Mitigation

Identify or block potentially malicious software that may contain abusive functionality by using whitelisting3 tools, like AppLocker,45 or Software Restriction Policies6 where appropriate.7. These mechanisms can also be used to disable and/or limit user access to Windows utilities used to invoke execution.

Detection

Monitor and analyze logs from host-based detection mechanisms, such as Sysmon, for events such as process creations that include or are resulting from parameters associated with invoking programs/commands and/or spawning child processes.8