Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command-Line Interface](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)Adversaries may abuse these utilities for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd.
The Program Compatibility Assistant (pcalua.exe) may invoke the execution of programs and commands from a Command-Line Interface.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| process | Process to execute | string | calc.exe |
| payload_path | Path to payload | path | c:\temp\payload.dll |
| payload_cpl_path | Path to payload | path | C:\Windows\system32\javacpl.cpl -c Java |
pcalua.exe -a #{process}
pcalua.exe -a #{payload_path}
pcalua.exe -a #{payload_cpl_path}
forfiles.exe may invoke the execution of programs and commands from a Command-Line Interface.
"This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe"
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| process | Process to execute | string | calc.exe |
forfiles /p c:\windows\system32 /m notepad.exe /c #{process}
forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"