T1202 — Indirect Command Execution

Technique

T1202

Tactics

Stealth

MISP citations

0

KEV CVEs mapped

9

Community rules

40

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1202

MITRE description

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (`pcalua.exe`), components of the Windows Subsystem for Linux (WSL), `Scriptrunner.exe`, as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts.(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citation: SS64)(Citation: Bleeping Computer - Scriptrunner.exe) Adversaries may also abuse the `ssh.exe` binary to execute malicious commands via the `ProxyCommand` and `LocalCommand` options, which can be invoked via the `-o` flag or by modifying the SSH config file.(Citation: Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot) Adversaries may abuse these features for [Stealth](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2024-24919
• CVE-2023-40044
• CVE-2023-32315
• CVE-2022-29464
• CVE-2020-3452
• CVE-2019-3398
• CVE-2019-3396
• CVE-2018-0296
• CVE-2013-0629

Detection coverage

SigmaHQ community rules

• Arbitrary Command Execution Using WSL (threat-hunting)
• Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE (core)
• Troubleshooting Pack Cmdlet Execution (core)
• Indirect Inline Command Execution Via Bash.EXE (core)
• Indirect Command Execution From Script File Via Bash.EXE (core)
• Suspicious Child Process Of BgInfo.EXE (core)
• Uncommon Child Process Of BgInfo.EXE (core)
• Potential Arbitrary File Download Via Cmdl32.EXE (core)
• Suspicious High IntegrityLevel Conhost Legacy Option (core)
• Uncommon Child Process Of Conhost.EXE (core)
• Potentially Suspicious Child Processes Spawned by ConHost (core)
• Findstr Launching .lnk File (core)
• Potential Arbitrary Command Execution Via FTP.EXE (core)
• Suspicious ZipExec Execution (core)
• Suspicious Runscripthelper.exe (core)
• Potential Arbitrary Command Execution Using Msdt.EXE (core)
• Suspicious Cabinet File Execution Via Msdt.EXE (core)
• Potential Arbitrary File Download Using Office Application (core)
• Potentially Suspicious Office Document Executed From Trusted Location (core)
• Outlook EnableUnsafeClientMailRules Setting Enabled (core)
• Suspicious Remote Child Process From Outlook (core)
• Potential Arbitrary DLL Load Using Winword (core)
• Renamed CURL.EXE Execution (core)
• Renamed ZOHO Dctask64 Execution (core)
• Renamed FTP.EXE Execution (core)

Showing 25 of 40 community rules — the full set is tagged attack.t1202 in SigmaHQ.

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.