security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1202/T1202.md
T
Atomic Red Team doc generator 762f0548a1 Generated docs from job=generate-docs branch=master [ci skip]
2025-05-01 15:13:41 +00:00

215 lines
6.5 KiB
Markdown
Raw Permalink Blame History

# T1202 - Indirect Command Execution
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1202)
<blockquote>
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (`pcalua.exe`), components of the Windows Subsystem for Linux (WSL), `Scriptrunner.exe`, as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts.(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citation: SS64)(Citation: Bleeping Computer - Scriptrunner.exe) Adversaries may also abuse the `ssh.exe` binary to execute malicious commands via the `ProxyCommand` and `LocalCommand` options, which can be invoked via the `-o` flag or by modifying the SSH config file.(Citation: Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot)
Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.
</blockquote>
## Atomic Tests
- [Atomic Test #1 - Indirect Command Execution - pcalua.exe](#atomic-test-1---indirect-command-execution---pcaluaexe)
- [Atomic Test #2 - Indirect Command Execution - forfiles.exe](#atomic-test-2---indirect-command-execution---forfilesexe)
- [Atomic Test #3 - Indirect Command Execution - conhost.exe](#atomic-test-3---indirect-command-execution---conhostexe)
- [Atomic Test #4 - Indirect Command Execution - Scriptrunner.exe](#atomic-test-4---indirect-command-execution---scriptrunnerexe)
- [Atomic Test #5 - Indirect Command Execution - RunMRU Dialog](#atomic-test-5---indirect-command-execution---runmru-dialog)
<br/>
## Atomic Test #1 - Indirect Command Execution - pcalua.exe
The Program Compatibility Assistant (pcalua.exe) may invoke the execution of programs and commands from a Command-Line Interface.
[Reference](https://twitter.com/KyleHanslovan/status/912659279806640128)
Upon execution, calc.exe should open
**Supported Platforms:** Windows
**auto_generated_guid:** cecfea7a-5f03-4cdd-8bc8-6f7c22862440
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| payload_path | Path to payload | path | C:&#92;Windows&#92;System32&#92;calc.exe|
| process | Process to execute | string | calc.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
pcalua.exe -a #{process}
pcalua.exe -a #{payload_path}
```
<br/>
<br/>
## Atomic Test #2 - Indirect Command Execution - forfiles.exe
forfiles.exe may invoke the execution of programs and commands from a Command-Line Interface.
[Reference](https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Forfiles.yml)
"This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe"
Upon execution calc.exe will be opened.
**Supported Platforms:** Windows
**auto_generated_guid:** 8b34a448-40d9-4fc3-a8c8-4bb286faf7dc
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| process | Process to execute | string | calc.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
forfiles /p c:\windows\system32 /m notepad.exe /c #{process}
```
<br/>
<br/>
## Atomic Test #3 - Indirect Command Execution - conhost.exe
conhost.exe refers to a host process for the console window. It provide an interface between command prompt and Windows explorer.
Executing it through command line can create process ancestry anomalies
[Reference] (http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/)
**Supported Platforms:** Windows
**auto_generated_guid:** cf3391e0-b482-4b02-87fc-ca8362269b29
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| process | Process to execute | string | notepad.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
conhost.exe "#{process}"
```
<br/>
<br/>
## Atomic Test #4 - Indirect Command Execution - Scriptrunner.exe
The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting. Upon test execution, calc.exe should open
Reference: https://x.com/NickTyrer/status/914234924655312896
**Supported Platforms:** Windows
**auto_generated_guid:** 0fd14730-6226-4f5e-8d67-43c65f1be940
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| payload_path | Path to the executable | String | C:&#92;Windows&#92;System32&#92;calc.exe|
#### Attack Commands: Run with `powershell`!
```powershell
Scriptrunner.exe -appvscript "#{payload_path}"
```
<br/>
<br/>
## Atomic Test #5 - Indirect Command Execution - RunMRU Dialog
Simulates execution of commands via the Windows Run dialog (Win+R) by programmatically opening the Run dialog,
copying a command to clipboard, and automating the paste and execution. This generates artifacts in the RunMRU registry key,
which is commonly abused by threat actors to execute malicious commands disguised as CAPTCHA verification steps.
Upon execution, a test PowerShell command will be executed through the Run dialog.
**Supported Platforms:** Windows
**auto_generated_guid:** de323a93-2f18-4bd5-ba60-d6fca6aeff76
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| command | Command to execute via Run dialog | string | calc.exe|
#### Attack Commands: Run with `powershell`!
```powershell
# Copy command to clipboard
Set-Clipboard -Value '#{command}'
# Open Run dialog
Start-Process -FilePath "powershell" -ArgumentList "-c (New-Object -ComObject 'Shell.Application').FileRun()" -WindowStyle Hidden
# Wait for Run dialog to open
Start-Sleep -Seconds 1
# Paste command and execute
Add-Type -AssemblyName System.Windows.Forms
[System.Windows.Forms.SendKeys]::SendWait('^v')
Start-Sleep -Milliseconds 500
[System.Windows.Forms.SendKeys]::SendWait('{ENTER}')
```
<br/>
Reference in New Issue View Git Blame Copy Permalink