title: Indirect Command Execution (T1202)
id: df00tech-t1202
status: experimental
description: "Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd.exe directly. Tools such as Forfiles, the Program Compatibility Assistant (pcalua.exe), Windows Subsystem for Linux (WSL via wsl.exe or bash.exe), Scriptrunner.exe, and ssh.exe may invoke the execution of programs and commands from a scripting interpreter, Run window, or via scripts. Adversaries use these features for Defense Evasion, specifically to perform arbitrary execution while subverting detections and Group Policy controls that restrict cmd.exe usage or block certain file extensions. Real-world actors including Lazarus Group (forfiles for .htm execution), Revenge RAT (forfiles for command execution), and RedCurl (pcalua.exe for binary obfuscation) have demonstrated operational use of this technique."
references:
  - https://attack.mitre.org/techniques/T1202/
  - https://df00tech.com/detections/T1202
author: df00tech
date: 2026/04/19
tags:
  - attack.t1202
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate administrative use of forfiles.exe for batch file operations, directory traversal, or scheduled maintenance scripts (e.g., deleting files older than N days)"
  - WSL (wsl.exe/bash.exe) activity from developers who legitimately use Linux tools and access the Windows filesystem via /mnt/c in their daily workflows
  - System compatibility infrastructure invoking pcalua.exe when users launch legacy applications that trigger Program Compatibility Assistant automatically
  - SSH client usage with ProxyCommand set in ~/.ssh/config for legitimate jump-host configurations or tunneling through bastion hosts
  - Scriptrunner.exe invoked by application shims during compatibility testing or software packaging processes
level: medium