T1202
Indirect Command Execution
Description from ATT&CK
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)
Adversaries may abuse these features for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd or file extensions more commonly associated with malicious payloads.
Atomic Tests
Atomic Test #1 - Indirect Command Execution - pcalua.exe
The Program Compatibility Assistant (pcalua.exe) may invoke the execution of programs and commands from a Command-Line Interface. Reference Upon execution, calc.exe should open
Supported Platforms: windows
auto_generated_guid: cecfea7a-5f03-4cdd-8bc8-6f7c22862440
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| payload_path | Path to payload | path | C:\Windows\System32\calc.exe |
| process | Process to execute | string | calc.exe |
Attack Commands: Run with command_prompt!
1
2
pcalua.exe -a #{process}
pcalua.exe -a #{payload_path}
Atomic Test #2 - Indirect Command Execution - forfiles.exe
forfiles.exe may invoke the execution of programs and commands from a Command-Line Interface. Reference "This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe" Upon execution calc.exe will be opened.
Supported Platforms: windows
auto_generated_guid: 8b34a448-40d9-4fc3-a8c8-4bb286faf7dc
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| process | Process to execute | string | calc.exe |
Attack Commands: Run with command_prompt!
1
forfiles /p c:\windows\system32 /m notepad.exe /c #{process}
Atomic Test #3 - Indirect Command Execution - conhost.exe
conhost.exe refers to a host process for the console window. It provide an interface between command prompt and Windows explorer. Executing it through command line can create process ancestry anomalies [Reference] (http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/)
Supported Platforms: windows
auto_generated_guid: cf3391e0-b482-4b02-87fc-ca8362269b29
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| process | Process to execute | string | notepad.exe |
Attack Commands: Run with command_prompt!
1
conhost.exe "#{process}"
Atomic Test #4 - Indirect Command Execution - Scriptrunner.exe
The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting. Upon test execution, calc.exe should open Reference: https://x.com/NickTyrer/status/914234924655312896
Supported Platforms: windows
auto_generated_guid: 0fd14730-6226-4f5e-8d67-43c65f1be940
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| payload_path | Path to the executable | String | C:\Windows\System32\calc.exe |
Attack Commands: Run with powershell!
1
Scriptrunner.exe -appvscript "#{payload_path}"