T1202: Indirect Command Execution
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts.
Adversaries may abuse these features for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd or file extensions more commonly associated with malicious payloads.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_defense_evasion: PT-CR-955: Wlrmdr_LOLBin: Bypassing protection with wlrmdr.exe mitre_attck_defense_evasion: PT-CR-457: Pcalua_AWL_Bypass: An attempt to bypass application-start restrictions by using Microsoft Windows pcalua.exe (Program Compatibility Assistant)
Detection
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments to bypass security restrictions that limit the use of command-line interpreters. |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for newly constructed processes and/or command-lines that can be used instead of invoking cmd (i.e. pcalua.exe, winrs.exe, cscript/wscript.exe, hh.exe, or bash.exe) |
---|