T1202 - Indirect Command Execution#
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)
Adversaries may abuse these features for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd or file extensions more commonly associated with malicious payloads.
Atomic Tests#
Atomic Test #1 - Indirect Command Execution - pcalua.exeThe Program Compatibility Assistant (pcalua.exe) may invoke the execution of programs and commands from a Command-Line Interface.#
Reference
Upon execution, calc.exe should open
Supported Platforms: windows#### Attack Commands: Run with command_prompt
pcalua.exe -a calc.exe
pcalua.exe -a C:\Windows\System32\calc.exe
Invoke-AtomicTest T1202 -TestNumbers 1
Atomic Test #2 - Indirect Command Execution - forfiles.exeforfiles.exe may invoke the execution of programs and commands from a Command-Line Interface.#
Reference
“This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe”
Upon execution calc.exe will be opened.
Supported Platforms: windows#### Attack Commands: Run with command_prompt
forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
Invoke-AtomicTest T1202 -TestNumbers 2
Atomic Test #3 - Indirect Command Execution - conhost.execonhost.exe refers to a host process for the console window. It provide an interface between command prompt and Windows explorer.#
Executing it through command line can create process ancestry anomalies
[Reference] (http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/)
Supported Platforms: windows#### Attack Commands: Run with command_prompt
conhost.exe "notepad.exe"
Invoke-AtomicTest T1202 -TestNumbers 3
Detection#
Monitor and analyze logs from host-based detection mechanisms, such as Sysmon, for events such as process creations that include or are resulting from parameters associated with invoking programs/commands/files and/or spawning child processes/network connections. (Citation: RSA Forfiles Aug 2017)
Shield Active Defense#
Behavioral Analytics#
Deploy tools that detect unusual system or user behavior.
Instrument a system to collect detailed information about process execution and user activity, develop a sense of normal or expected behaviors, and alert on abnormal or unexpected activity. This can be accomplished either onboard the target system or by shipping data to a centralized analysis and alerting system.
Opportunity#
There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors.
Use Case#
A defender can implement behavior analytics which would indicate activity on a system executing commands in non-standard ways. This could indicate malicious activity.
Procedures#
Use behavioral analytics to detect Living Off The Land Binaries (LOLBins) being used to download and execute a file. Use behavioral analytics to identify a system running development tools, but is not used by someone who does development. Use behavioral analytics to identify abnormal system processes being used to launch a different process.