Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1202: Indirect Command Execution

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (`pcalua.exe`), components of the Windows Subsystem for Linux (WSL), `Scriptrunner.exe`, as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts.[1][2][3][4][5] Adversaries may also abuse the `ssh.exe` binary to execute malicious commands via the `ProxyCommand` and `LocalCommand` options, which can be invoked via the `-o` flag or by modifying the SSH config file.[6]

Adversaries may abuse these features for Stealth, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd or file extensions more commonly associated with malicious payloads.

EnterpriseT1202TechniqueObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Indirect Command Execution matters because blocking cmd.exe or common script extensions is not enough on Windows. ATT&CK describes adversaries abusing legitimate Windows utilities and features, such as Forfiles, Program Compatibility Assistant, WSL components, Scriptrunner.exe, and ssh.exe options, to execute commands while avoiding controls focused only on command-line interpreters.

Executive priority

Treat this as a control-validation issue, not just a malware issue. Leaders should ask whether Windows execution controls, monitoring, and audit evidence cover trusted utilities that can launch commands indirectly. This is material for SOC readiness and compliance evidence because a policy that blocks obvious interpreters may still leave alternate execution paths available. ATT&CK also links this technique to named groups and software, which makes it useful for threat-informed prioritization without assuming current exposure.

Technical view

For Windows environments, validate whether detection engineering covers command execution through legitimate utilities rather than only direct cmd.exe or script execution. ATT&CK provides no official detection text for T1202, but relationship context includes detection strategy DET0200, “Indirect Command Execution – Windows utility abuse behavior chain.” SOC teams should review process creation chains, parent-child process relationships, command-line arguments, and suspicious use of utilities named in the ATT&CK description, including Forfiles, pcalua.exe, WSL components, Scriptrunner.exe, and ssh.exe with command-execution-related options or config-driven behavior. IR teams should consider these utilities when reconstructing execution paths.

Likely telemetry

  • Windows process creation events with full command-line arguments
  • Parent-child process relationship telemetry for utility-launched programs
  • Script, batch, Run window, and command interpreter execution evidence where available
  • Application control, Group Policy, or execution restriction logs showing allowed or blocked launches
  • File and configuration change evidence relevant to SSH configuration when ssh.exe behavior is in scope

Detection direction

  • Do not tune only for cmd.exe; validate coverage for indirect execution via legitimate Windows utilities described by ATT&CK.
  • Build or review behavior-chain analytics around utility process launch followed by program or command execution, aligned to DET0200 where available.
  • Baseline legitimate administrative and batch-job use of tools such as Forfiles to reduce false positives.
  • Review command-line argument visibility; without full command-line capture, this technique is materially harder to distinguish from benign utility use.
  • Correlate utility execution with unusual parents, user context, execution location, and follow-on process activity rather than treating the utility name alone as malicious.

Mitigation priorities

  • Prioritize reducing reliance on controls that only block cmd.exe or common malicious file extensions.
  • Review Windows execution control policy for legitimate utilities capable of launching commands indirectly.
  • Use Group Policy or application control decisions carefully, with testing for business workflows that legitimately use these utilities.
  • Ensure SOC and IR playbooks include indirect execution paths when validating endpoint control effectiveness.
  • Maintain auditable evidence that controls and telemetry cover both direct and indirect command execution routes.
Analyst notes and limits

ATT&CK records this as an enterprise Windows technique under the stealth tactic. Relationship context shows use by Lazarus Group and RedCurl, and associated software including Forfiles and Revenge RAT; this should inform threat modeling but not be treated as proof of activity in any specific environment. The Cyble reference specifically mentions manufacturing in its title, so cyber-physical or operational resilience teams in manufacturing may want to confirm Windows endpoint visibility, but local evidence is required.

The official ATT&CK object does not provide a detection section or mitigation text for T1202. Recommendations here are derived from the supplied description, external references, and relationships only. Local asset roles, approved administrative workflows, endpoint telemetry quality, and control policy details are required to determine actual risk and coverage.

Official MITRE ATT&CK definition

Indirect Command Execution

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (`pcalua.exe`), components of the Windows Subsystem for Linux (WSL), `Scriptrunner.exe`, as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts.[1][2][3][4][5] Adversaries may also abuse the `ssh.exe` binary to execute malicious commands via the `ProxyCommand` and `LocalCommand` options, which can be invoked via the `-o` flag or by modifying the SSH config file.[6]

Adversaries may abuse these features for Stealth, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd or file extensions more commonly associated with malicious payloads.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Group Enterprise

G0032: Lazarus Group

Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]

North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]

Group Enterprise

G1039: RedCurl

RedCurl is a threat actor active since 2018 notable for corporate espionage targeting a variety of locations, including Ukraine, Canada and the United Kingdom, and a variety of industries, including but not limited to travel agencies, insurance companies, and banks.[1] RedCurl is allegedly a Russian-speaking threat actor.[1][2] The group’s operations typically start with spearphishing emails to gain initial access, then the group executes discovery and collection commands and scripts to find corporate data. The group concludes operations by exfiltrating files to the C2 servers.

Tool Enterprise

S0193: Forfiles

Forfiles is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. [1]

Relationship explorer

All related ATT&CK context

uses · Group G0032: Lazarus Group Enterprise uses · Tool S0193: Forfiles Enterprise detects · Detection Strategy DET0200: Indirect Command Execution – Windows utility abuse behavior chain Enterprise uses · Malware S0379: Revenge RAT Enterprise uses · Group G1039: RedCurl Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
5b8199be3394c583...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle 5b8199be3394…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    VectorSec ForFiles Aug 2017

    vector_sec. (2017, August 11). Defenders watching launches of cmd? What about forfiles?. Retrieved September 12, 2024.

    Open source URL
  2. [2]
    Evi1cg Forfiles Nov 2017

    Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved September 12, 2024.

    Open source URL
  3. [3]
    Secure Team - Scriptrunner.exe

    Secure Team - Information Assurance. (2023, January 8). Windows Error Reporting Tool Abused to Load Malware. Retrieved July 8, 2024.

    Open source URL
  4. [4]
    SS64

    SS64. (n.d.). ScriptRunner.exe. Retrieved July 8, 2024.

    Open source URL
  5. [5]
    Bleeping Computer - Scriptrunner.exe

    Bill Toulas. (2023, January 4). Hackers abuse Windows error reporting tool to deploy malware. Retrieved July 8, 2024.

    Open source URL
  6. [6]
    Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot

    Cyble. (2024, December 5). Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot. Retrieved February 4, 2025.

    Open source URL
  7. [7]
    mitre-attack T1202
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use