Skip to content

Latest commit

 

History

History
74 lines (41 loc) · 2.8 KB

T1202.md

File metadata and controls

74 lines (41 loc) · 2.8 KB

T1202 - Indirect Command Execution

Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command-Line Interface](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)

Adversaries may abuse these features for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd or file extensions more commonly associated with malicious payloads.

Atomic Tests


Atomic Test #1 - Indirect Command Execution - pcalua.exe

The Program Compatibility Assistant (pcalua.exe) may invoke the execution of programs and commands from a Command-Line Interface.

Reference

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
process Process to execute string calc.exe
payload_path Path to payload path c:\temp\payload.dll
payload_cpl_path Path to payload path C:\Windows\system32\javacpl.cpl -c Java

Attack Commands: Run with command_prompt!

pcalua.exe -a #{process}
pcalua.exe -a #{payload_path}
pcalua.exe -a #{payload_cpl_path}


Atomic Test #2 - Indirect Command Execution - forfiles.exe

forfiles.exe may invoke the execution of programs and commands from a Command-Line Interface.

Reference

"This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe"

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
process Process to execute string calc.exe

Attack Commands: Run with command_prompt!

forfiles /p c:\windows\system32 /m notepad.exe /c #{process}
forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"