Description
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), Scriptrunner.exe, as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts.(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citation: SS64)(Citation: Bleeping Computer - Scriptrunner.exe) Adversaries may also abuse the ssh.exe binary to execute malicious commands via the ProxyCommand and LocalCommand options, which can be invoked via the -o flag or by modifying the SSH config file.(Citation: Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot)
Adversaries may abuse these features for Stealth, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd or file extensions more commonly associated with malicious payloads.
Platforms
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) persistence mechanisms have used <code>forfiles.exe</code> to execute .htm files.(Citation: Qua... |
| G1039 | RedCurl | [RedCurl](https://attack.mitre.org/groups/G1039) has used pcalua.exe to obfuscate binary execution and remote connections.(Citation: trendmicro_redcur... |
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S0193 | Forfiles | Tool | [Forfiles](https://attack.mitre.org/software/S0193) can be used to subvert controls and possibly conceal command execution by not directly invoking [c... |
| S0379 | Revenge RAT | Malware | [Revenge RAT](https://attack.mitre.org/software/S0379) uses the [Forfiles](https://attack.mitre.org/software/S0193) utility to execute commands on the... |
References
- Bill Toulas. (2023, January 4). Hackers abuse Windows error reporting tool to deploy malware. Retrieved July 8, 2024.
- Cyble. (2024, December 5). Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot. Retrieved February 4, 2025.
- Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved September 12, 2024.
- Secure Team - Information Assurance. (2023, January 8). Windows Error Reporting Tool Abused to Load Malware. Retrieved July 8, 2024.
- SS64. (n.d.). ScriptRunner.exe. Retrieved July 8, 2024.
- vector_sec. (2017, August 11). Defenders watching launches of cmd? What about forfiles?. Retrieved September 12, 2024.
Frequently Asked Questions
What is T1202 (Indirect Command Execution)?
T1202 is a MITRE ATT&CK technique named 'Indirect Command Execution'. It belongs to the Stealth tactic(s). Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute comma...
How can T1202 be detected?
Detection of T1202 (Indirect Command Execution) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1202?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1202?
Known threat groups using T1202 include: Lazarus Group, RedCurl.