ATT&CK coverage › Technique
Indirect Command Execution T1202
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (`pcalua.exe`), components of the Windows Subsystem for Linux (WSL), `Scriptrunner.exe`, as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts. Adversaries may also abuse the `ssh.exe` binary to execute malicious commands via the `ProxyCommand` and `LocalCommand` options, which can be invoked via the `-o` flag or by modifying the SSH config file.
Events covered
5 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 39 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (16 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (414 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.
Common exclusions (2 distinct)
Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 38 rules
- Custom File Open Handler Executes PowerShell
- Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
- Findstr Launching .lnk File
- Indirect Command Execution From Script File Via Bash.EXE
- Indirect Inline Command Execution Via Bash.EXE
- Outlook EnableUnsafeClientMailRules Setting Enabled
- Potential Arbitrary Command Execution Using Msdt.EXE
- Potential Arbitrary Command Execution Via FTP.EXE
- Potential Arbitrary DLL Load Using Winword
- Potential Arbitrary File Download Using Office Application
- Potential Arbitrary File Download Via Cmdl32.EXE
- Potential Binary Impersonating Sysinternals Tools
- Potentially Suspicious Child Process Of VsCode
- Potentially Suspicious Child Processes Spawned by ConHost
- Potentially Suspicious Office Document Executed From Trusted Location
- Proxy Execution via Vshadow
- Renamed CURL.EXE Execution
- Renamed FTP.EXE Execution
- Renamed NirCmd.EXE Execution
- Renamed PAExec Execution
- Renamed PingCastle Binary Execution
- Renamed ZOHO Dctask64 Execution
- Rundll32 Execution Without CommandLine Parameters
- Suspicious Cabinet File Execution Via Msdt.EXE
- Suspicious Child Process Of BgInfo.EXE
- Suspicious High IntegrityLevel Conhost Legacy Option
- Suspicious Remote Child Process From Outlook
- Suspicious Runscripthelper.exe
- Suspicious Service Binary Directory
- Suspicious Splwow64 Without Params
- Suspicious ZipExec Execution
- Troubleshooting Pack Cmdlet Execution
- Uncommon Child Process Of BgInfo.EXE
- Uncommon Child Process Of Conhost.EXE
- Uncommon Child Process Of Setres.EXE
- Windows Binary Executed From WSL
- WSL Child Process Anomaly
- WSL Kali-Linux Usage