Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)
Adversaries may abuse these features for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd or file extensions more commonly associated with malicious payloads.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CVE-2023-40044 | Progress WS_FTP Server Deserialization of Untrusted Data Vulnerability | secondary_impact | T1202 | Indirect Command Execution |
Comments
Zero-day .NET deserialization vulnerability that allows an adversary to make an HTTP POST request to a vulnerable WS_FTP Server and execute commands.
References
|
| CVE-2013-0629 | Adobe ColdFusion Directory Traversal Vulnerability | primary_impact | T1202 | Indirect Command Execution |
Comments
This is an exploitation of a public-facing server due to password misconfiguration. Exploitation allows attackers to access restricted directories
References
|
| CVE-2018-0296 | Cisco Adaptive Security Appliance (ASA) Denial-of-Service Vulnerability | exploitation_technique | T1202 | Indirect Command Execution |
Comments
CVE-2018-0296 is a critical vulnerability in the web interface of Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Software. This vulnerability allows an unauthenticated, remote attacker to perform directory traversal attacks and access sensitive system information.
References
|
| CVE-2020-3452 | Cisco ASA and FTD Read-Only Path Traversal Vulnerability | exploitation_technique | T1202 | Indirect Command Execution |
Comments
CVE-2020-3452 is a vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system.
References
|
| CVE-2019-3396 | Atlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability | secondary_impact | T1202 | Indirect Command Execution |
Comments
CVE-2019-3396 is a critical server-side template injection vulnerability in Atlassian Confluence Server and Data Center that could lead to remote code execution.
References
|
| CVE-2019-3398 | Atlassian Confluence Server and Data Center Path Traversal Vulnerability | exploitation_technique | T1202 | Indirect Command Execution |
Comments
CVE-2019-3398 is a path traversal vulnerability in Atlassian Confluence Server and Data Center that allows an authenticated attacker to write files to arbitrary locations, potentially leading to remote code execution
References
|
| CVE-2023-32315 | Ignite Realtime Openfire Path Traversal Vulnerability | exploitation_technique | T1202 | Indirect Command Execution |
Comments
CVE-2023-32315 is a path traversal bug in Openfire's administrative console that could be leveraged for remote code execution. Public reports have indicated that threat actors were exploiting this vulnerability to gain access to the Openfire plugins interface to create new admin console user accounts, install a malicious plugin, and gain access to a webshell.
References
|
| CVE-2024-24919 | Check Point Quantum Security Gateways Information Disclosure Vulnerability | exploitation_technique | T1202 | Indirect Command Execution |
Comments
CVE-2024-24919 is an information disclosure/arbitrary file read vulnerability within Check Point's Quantum Security Gateway products. It's been reported that attacker are leveraging this vulnerability to retrieve, all files on the local file system, read sensitive data and extract credentials for all local accounts, including Active Directory, SSH keys, and certificates.
References
|
| CVE-2022-29464 | WSO2 Multiple Products Unrestrictive Upload of File Vulnerability | primary_impact | T1202 | Indirect Command Execution |
Comments
CVE-2022-29464 is an unrestricted file upload vulnerability where an adversary can upload arbitrary files and, due to a directory traversal issue, write files to locations where they can then send commands. Adversaries have been seen to use this to mine cryptocurrency.
References
|