T1202: T1202
Essential information
- MITRE technique ID
T1202- Confidence
- 100/100
- Revoked
- No
- Published
- 18/04/2018 19:59
- Modified
- 22/04/2026 17:32
- Author / Source
- The MITRE Corporation
Aliases
Indirect Command Execution
Platforms
windows
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | defense-evasion |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (19)
-
The MITRE Corporation Confidence 100
[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Sticky Werewolf usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Blackwood usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Lazarus usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SnakeKeylogger usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Contagious Interview](https://attack.mitre.org/groups/G1052) is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials.…
First seen 01/01/1970 · Last seen 16/11/5138 · -
UNG0002 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Storm-0062 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CL0P usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SLOW#TEMPEST usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (51)
-
Vidar usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SocGholish usesThe MITRE Corporation Confidence 100
[SocGholish](https://attack.mitre.org/software/S1124) is a JavaScript-based loader malware that has been used since at least 2017. It has been observed in use against multiple sectors globally for initial access, primarily…
First seen 01/01/1970 · Last seen 16/11/5138 · -
OilBooster usesFamily The MITRE Corporation Confidence 100
[OilBooster](https://attack.mitre.org/software/S1172) is a downloader written in Microsoft Visual C/C++ that has been used by [OilRig](https://attack.mitre.org/groups/G0049) since at least 2022 including against target organizations in Israel to download and…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Yurei Ransomware usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Ozone RAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TZW usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ODAgent usesFamily The MITRE Corporation Confidence 100
[ODAgent](https://attack.mitre.org/software/S1170) is a C#/.NET downloader that has been used by [OilRig](https://attack.mitre.org/groups/G0049) since at least 2022 including against target organizations in Israel to download and execute payloads and to…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Umbral-Stealer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
C#/.NET usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Erbium Stealer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
XWorm RAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Async RAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (13)
-
Threat landscape — insurance relatedConfidence 100 199 MITREs 11 APTs
-
19 MITREs 1 Malware 3 Observables 1 APT
-
18 MITREs 2 Malwares 38 Observables 1 APT
-
14 MITREs 1 Malware
-
17 MITREs 3 Malwares 1 Observable
-
2 CVEs 12 MITREs 12 Observables
-
16 MITREs 1 Malware 2 Observables 1 APT
-
3 MITREs 1 Malware 28 Observables
-
CL0P Ransomware: Latest Attacks related1 CVE 35 MITREs 1 Malware 6 Observables 1 APT
-
Hunt for RedCurl related12 MITREs 1 Malware 14 Observables 1 APT
-
VILSA STEALER related17 MITREs 2 Malwares 3 Observables
-
8 MITREs 5 Malwares 14 Observables 1 APT
Vulnerabilities (CVE) (20)
Out of bounds memory access in Mojo in Google Chrome prior to 115.0.5790.98 allowed a remote attacker who had compromised the renderer …
- Attack vector
- NETWORK
- Published
- 02/08/2023
- Modified
- 21/12/2025
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an …
- Attack vector
- NETWORK
- Published
- 20/07/2023
- Modified
- 21/12/2025
Microsoft Windows Search contains an unspecified vulnerability that could allow an attacker to evade Mark of the Web (MOTW) defenses via a …
- Attack vector
- Network
- Published
- 17/07/2023
- Modified
- 27/05/2026
Use after free in WebRTC in Google Chrome prior to 115.0.5790.98 allowed a remote attacker to potentially exploit heap corruption via a …
- Attack vector
- NETWORK
- Published
- 02/08/2023
- Modified
- 21/12/2025
Versions of the package net.sourceforge.htmlunit:htmlunit from 0 and before 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the …
- Attack vector
- NETWORK
- Published
- 03/04/2023
- Modified
- 21/12/2025
Privilege escalation vulnerability was discovered in Atera Agent 1.8.4.4 and prior on Windows due to mishandling of privileged APIs.
- Attack vector
- LOCAL
- Published
- 24/07/2023
- Modified
- 21/12/2025
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.46 and …
- Attack vector
- NETWORK
- Published
- 18/07/2023
- Modified
- 21/12/2025
Privilege Escalation to root administrator (nsroot)
- Attack vector
- ADJACENT_NETWORK
- Published
- 19/07/2023
- Modified
- 21/12/2025
A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists that could cause arbitrary code execution, denial of service and loss …
- Attack vector
- NETWORK
- Published
- 30/01/2023
- Modified
- 21/12/2025
Use after free in Tab Groups in Google Chrome prior to 115.0.5790.98 allowed a remote attacker who convinced a user to engage …
- Attack vector
- NETWORK
- Published
- 02/08/2023
- Modified
- 21/12/2025
In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support …
- Attack vector
- NETWORK
- Published
- 19/04/2023
- Modified
- 21/12/2025
Apple iOS, iPadOS, macOS, tvOS, and watchOS contain an unspecified vulnerability allowing an app to modify a sensitive kernel state.
- Attack vector
- Local
- Published
- 26/07/2023
- Modified
- 21/12/2025
Tool (1)
-
Forfiles usesThe MITRE Corporation Confidence 100
[Forfiles](https://attack.mitre.org/software/S0193) is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive,…