T1202 - Indirect Command Execution

Description from ATT&CK

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017) Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.

Atomic Tests


Atomic Test #1 - Indirect Command Execution - pcalua.exe

The Program Compatibility Assistant (pcalua.exe) may invoke the execution of programs and commands from a Command-Line Interface. Reference Upon execution, calc.exe should open

Supported Platforms: Windows

auto_generated_guid: cecfea7a-5f03-4cdd-8bc8-6f7c22862440

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | payload_path | Path to payload | path | C:\Windows\System32\calc.exe| | process | Process to execute | string | calc.exe|

Attack Commands: Run with
1
command_prompt
!

pcalua.exe -a #{process}
pcalua.exe -a #{payload_path}



Atomic Test #2 - Indirect Command Execution - forfiles.exe

forfiles.exe may invoke the execution of programs and commands from a Command-Line Interface. Reference “This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe” Upon execution calc.exe will be opened.

Supported Platforms: Windows

auto_generated_guid: 8b34a448-40d9-4fc3-a8c8-4bb286faf7dc

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | process | Process to execute | string | calc.exe|

Attack Commands: Run with
1
command_prompt
!

forfiles /p c:\windows\system32 /m notepad.exe /c #{process}



Atomic Test #3 - Indirect Command Execution - conhost.exe

conhost.exe refers to a host process for the console window. It provide an interface between command prompt and Windows explorer. Executing it through command line can create process ancestry anomalies [Reference] (http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/)

Supported Platforms: Windows

auto_generated_guid: cf3391e0-b482-4b02-87fc-ca8362269b29

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | process | Process to execute | string | notepad.exe|

Attack Commands: Run with
1
command_prompt
!

conhost.exe "#{process}"



Atomic Test #4 - Indirect Command Execution - Scriptrunner.exe

The “ScriptRunner.exe” binary can be abused to proxy execution through it and bypass possible whitelisting. Upon test execution, calc.exe should open Reference: https://x.com/NickTyrer/status/914234924655312896

Supported Platforms: Windows

auto_generated_guid: 0fd14730-6226-4f5e-8d67-43c65f1be940

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | payload_path | Path to the executable | String | C:\Windows\System32\calc.exe|

Attack Commands: Run with
1
powershell
!

1
Scriptrunner.exe -appvscript "#{payload_path}"