T1202: Indirect Command Execution

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Window utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts.

Adversaries may abuse these features for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd or file extensions more commonly associated with malicious payloads.


In this Demo using the forfiles utility which can select multiple files and run a command on them. It is typically used in batch jobs but it could be abused to execute arbitrary command or executable. The parameters "/p" and "/m" are used to perform a search in the windows directory "System32" and on the mask "calc.exe". Anything after "/c" parameter is the actual command that is executed.

Let's check process Explorer and see what happened.

We see here the our payload is a child process of the forfiles utility we can also use this with the Windows "Run" and eliminate the use of the command prompt

Even though it's still the child process of forfiles it tools different steps to execute. We also have the pcalua utility to execute commands as well

From the samples from pcaula this can execute binaries, DLL files they can be local and remote since the binary is proxy aware meaning we can also use UNC Paths.

I was searching for information on why the "-a" parameter but couldn't find any.

The User will receive a prompt to Run

Weird thing though is that the payload executes but Defender manages to Delete and Remove the Payload from the REMOTE SHARE!!.

That is the traffic from when the payload is accessed and being DELETED. Even with a normal payload with no obfuscation straight out of the box can give us a connection

PCALUA is nowhere in the Process Explorer since Defender Kills it but our connection is still active as it becomes its own process.



Last updated