Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command-Line Interface, Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)Adversaries may abuse these utilities for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd.
Detection: Monitor and analyze logs from host-based detection mechanisms, such as Sysmon, for events such as process creations that include or are resulting from parameters associated with invoking programs/commands and/or spawning child processes. (Citation: RSA Forfiles Aug 2017)
Platforms: Windows
Data Sources: Process Monitoring, Process command-line parameters, Windows event logs
Defense Bypassed: Application whitelisting, Process whitelisting, Whitelisting by file name or path
Permissions Required: User
Contributors: Matthew Demaske, Adaptforward
The Program Compatibility Assistant (pcalua.exe) may invoke the execution of programs and commands from a Command-Line Interface.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| process | Process to execute | string | calc.exe |
| payload_path | Path to payload | path | c:\temp\payload.dll |
| payload_cpl_path | Path to payload | path | C:\Windows\system32\javacpl.cpl -c Java |
pcalua.exe -a ${process}
pcalua.exe -a ${payload_path}
pcalua.exe -a ${payload_cpl_path}
forfiles.exe may invoke the execution of programs and commands from a Command-Line Interface.
"This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe"
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| process | Process to execute | string | calc.exe |
forfiles /p c:\windows\system32 /m notepad.exe /c ${process}
forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"