Indirect Command Execution T1202

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (`pcalua.exe`), components of the Windows Subsystem for Linux (WSL), `Scriptrunner.exe`, as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts. Adversaries may also abuse the `ssh.exe` binary to execute malicious commands via the `ProxyCommand` and `LocalCommand` options, which can be invoked via the `-o` flag or by modifying the SSH config file.

Events covered

7 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 62 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (26 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Image35ends_with 29, contains 7, eq 2, starts_with 2, wildcard 2, is_null 1, regex_match 1\msdt.exe, \winword.exe, :\temp\, :\users\public\, :\windows\system32\bash.exe
CommandLine30contains 21, ends_with 4, regex_match 4, wildcard 2, eq 1, is_null 1(?i)conhost\.exe.*?\.exe, ^\S+\s, conhost.exe 0xffffffff -ForceV1, --exec, --install
OriginalFileName22eq 22bash.exe, winword.exe, excel.exe, forfiles.exe, ftp.exe
ParentImage14ends_with 13, contains 1\bginfo.exe, \bginfo64.exe, \conhost.exe, \wsl.exe, \wslhost.exe
event.type10eq 10start, change
process_name10eq 8, match 2(?i)^ssh\.exe, forfiles.exe, wsl.exe, conhost.exe, dism.exe
EventID6eq 64688, 1
parent_process_name5eq 3, regex_match 2(?i)(forfiles|fodhelper|ftp|pcalua)\.exe, wsl.exe, forfiles.exe, pcalua.exe, wslhost.exe
process.args4eq 3, starts_with 1, wildcard 1--distribution, --exec, --headless, --install, --system
ParentCommandLine3eq 2, starts_with 1*forfiles* /c *, *pcalua* -a*, bash
Type3eq 3
Description2eq 2PAExec Application, The curl executable
Details2contains 1, eq 1-command, powershell, unknown
Hashes2contains 2imphash=11d40a7b7876288f919ab819cc2d9802, imphash=1a6cca4d5460b1710a12dea39e4a592c, imphash=1bb6f93b129f398c7c4a76bb97450bba, imphash=6444f8a34e99b8f7d9647de66aabe516, imphash=6834b1b94e49701d77ccb3c0895e1afd
Product2contains 1, is_null 1, starts_with 1Sysinternals, paexec

Top indicator values (513 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
9241
EventIDeq
4688
4312
EventIDeq
1
2232
Imageends_with
\cmd.exe
4134
Imageends_with
\cscript.exe
476
Imageends_with
\powershell.exe
4186
Imageends_with
\pwsh.exe
4172
Imageends_with
\wscript.exe
478
Imageends_with
\calc.exe
314
Imageends_with
\msdt.exe
310
Imageends_with
\mshta.exe
369
Imageends_with
\regsvr32.exe
368
Imageends_with
\winword.exe
327
Imageends_with
:\windows\system32\bash.exe
22
Imageends_with
:\windows\syswow64\bash.exe
22
Imageends_with
\excel.exe
224
Imageends_with
\ftp.exe
23
Imageends_with
\powerpnt.exe
219
Imageends_with
\rundll32.exe
2103
OriginalFileNameeq
bash.exe
34
OriginalFileNameeq
winword.exe
36
OriginalFileNameeq
excel.exe
24
OriginalFileNameeq
forfiles.exe
23
CommandLineregex_match
(?i)conhost\.exe.*?\.exe
22
CommandLineregex_match
^\S+\s
22
CommandLineregex_match
conhost.exe 0xffffffff -ForceV1
22
CommandLinewildcard
*schtasks*
22
Imagecontains
:\temp\
214
Imagecontains
:\users\public\
216
Imagecontains
:\windows\temp\
213

Exclusions (79 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
CommandLinecontains
--install
1
CommandLinecontains
--unregister
1
CommandLinecontains
-d
1
CommandLinecontains
-e kill
1
CommandLinecontains
-i
1
CommandLinecontains
bash -
1
CommandLinecontains
bash.exe -
1
CommandLinecontains
wau-notify.ps1
1
CommandLineends_with
.dotx
1
CommandLineends_with
.potx
1
CommandLineends_with
.xltx
1
CommandLineeq
bash
1
CommandLineeq
bash.exe
1
CommandLineeq
powershell.exe -Command $env:USERPROFILE
1
CommandLinestarts_with
git.exe -c log.
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 40 rules

Elastic 10 rules

Splunk 12 rules