Indirect Command Execution

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd.

Adversaries may abuse these features for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd or file extensions more commonly associated with malicious payloads.

Technique Identifier

T1202

Technique Tags

Defense Evasion Command execution concealment perform arbitrary execution Exploit CLIs

Evasion Categories

Defense Evasion [Mitre]

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Indirect Command Execution, Technique T1202 - Enterprise | MITRE ATT&CK®

Created

February 7, 2023

Last Revised

March 24, 2026