Indirect Command Execution (T1202)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • Indirect Command Execution

Associated Tactics

  • Defense Evasion

Defense Evasion (TA0005)

The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

View on ATT&CK

Procedure Examples

Description Source(s)
Bill Toulas. (2023, January 4). Hackers abuse Windows error reporting tool to deploy malware. Retrieved July 8, 2024. Bleeping Computer - Scriptrunner.exe
Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved September 12, 2024. Evi1cg Forfiles Nov 2017
Partington, E. (2017, August 14). Are you looking out for forfiles.exe (if you are watching for cmd.exe). Retrieved January 22, 2018. RSA Forfiles Aug 2017
Secure Team - Information Assurance. (2023, January 8). Windows Error Reporting Tool Abused to Load Malware. Retrieved July 8, 2024. Secure Team - Scriptrunner.exe
SS64. (n.d.). ScriptRunner.exe. Retrieved July 8, 2024. SS64
vector_sec. (2017, August 11). Defenders watching launches of cmd? What about forfiles?. Retrieved September 12, 2024. VectorSec ForFiles Aug 2017