T1202 Indirect Command Execution Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let IndirectExecutors = dynamic(["forfiles.exe", "pcalua.exe", "scriptrunner.exe", "wsl.exe", "bash.exe", "wscript.exe"]);
let SuspiciousChildProcesses = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "msbuild.exe", "csc.exe", "net.exe", "net1.exe", "sc.exe", "reg.exe"]);
// Detection 1: Forfiles used to execute commands indirectly
let ForfilesExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "forfiles.exe"
| where ProcessCommandLine has_any ("/c", "/C")
| where ProcessCommandLine has_any ("cmd", "powershell", "pwsh", "mshta", "wscript", "cscript", "rundll32", "regsvr32", "certutil", "bitsadmin", "/c ", "0x", "@path", "@file", "@fdate", "@ftime")
| extend ExecutionMethod = "Forfiles"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ExecutionMethod;
// Detection 2: pcalua.exe used for binary execution bypass
let PcaluaExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "pcalua.exe"
| where ProcessCommandLine has_any ("-a", "-i")
| extend ExecutionMethod = "PcaluaBypass"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ExecutionMethod;
// Detection 3: Scriptrunner.exe proxy execution
let ScriptrunnerExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "scriptrunner.exe"
| where ProcessCommandLine has_any ("-appcompat", "/appcompat", "-appcompatpath", ".exe", ".bat", ".ps1", ".cmd")
| extend ExecutionMethod = "Scriptrunner"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ExecutionMethod;
// Detection 4: WSL/bash used to execute Windows-facing commands or reach out
let WslExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("wsl.exe", "bash.exe")
| where ProcessCommandLine has_any ("-e ", "--exec", "-c ", "cmd.exe", "powershell", "net.exe", "curl", "wget", "nc", "ncat", "python", "/mnt/c", "/proc/", "base64")
| extend ExecutionMethod = "WSL"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ExecutionMethod;
// Detection 5: ssh.exe ProxyCommand / LocalCommand abuse
let SshExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "ssh.exe"
| where ProcessCommandLine has_any ("ProxyCommand", "LocalCommand", "-o ProxyCommand", "-o LocalCommand", "PermitLocalCommand")
| extend ExecutionMethod = "SSH-ProxyCommand"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ExecutionMethod;
// Union all detections
union ForfilesExec, PcaluaExec, ScriptrunnerExec, WslExec, SshExec
| sort by Timestamp desc

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate administrative use of forfiles.exe for batch file operations, directory traversal, or scheduled maintenance scripts (e.g., deleting files older than N days)
WSL (wsl.exe/bash.exe) activity from developers who legitimately use Linux tools and access the Windows filesystem via /mnt/c in their daily workflows
System compatibility infrastructure invoking pcalua.exe when users launch legacy applications that trigger Program Compatibility Assistant automatically
SSH client usage with ProxyCommand set in ~/.ssh/config for legitimate jump-host configurations or tunneling through bastion hosts
Scriptrunner.exe invoked by application shims during compatibility testing or software packaging processes

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image=lower(Image)
| eval CommandLine=lower(CommandLine)
| eval ParentImage=lower(ParentImage)
// Identify indirect execution method
| eval IsForfiles=if(match(Image, "forfiles\.exe$") AND match(CommandLine, "(/c|/c\s)"), 1, 0)
| eval IsPcalua=if(match(Image, "pcalua\.exe$") AND match(CommandLine, "(-a|-i)\s"), 1, 0)
| eval IsScriptrunner=if(match(Image, "scriptrunner\.exe$") AND match(CommandLine, "(-appcompat|/appcompat|\.exe|\.bat|\.ps1|\.cmd)"), 1, 0)
| eval IsWsl=if((match(Image, "wsl\.exe$") OR match(Image, "bash\.exe$")) AND match(CommandLine, "(-e\s|--exec|-c\s|cmd\.exe|powershell|net\.exe|curl|wget|\snc\s|ncat|python|/mnt/c|base64)"), 1, 0)
| eval IsSshProxy=if(match(Image, "ssh\.exe$") AND match(CommandLine, "(proxycommand|localcommand|permitlocalcommand)"), 1, 0)
// Compute execution method label
| eval ExecutionMethod=case(
    IsForfiles=1, "Forfiles",
    IsPcalua=1, "PcaluaBypass",
    IsScriptrunner=1, "Scriptrunner",
    IsWsl=1, "WSL",
    IsSshProxy=1, "SSH-ProxyCommand",
    true(), null()
  )
| where isnotnull(ExecutionMethod)
// Elevate suspicion if parent is Office, script hosts, or suspicious loaders
| eval SuspiciousParent=if(match(ParentImage, "(winword\.exe|excel\.exe|outlook\.exe|powerpnt\.exe|mshta\.exe|wscript\.exe|cscript\.exe|explorer\.exe|rundll32\.exe|regsvr32\.exe|msiexec\.exe)"), 1, 0)
| eval SuspicionScore=IsForfiles + IsPcalua + IsScriptrunner + IsWsl + IsSshProxy + SuspiciousParent
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, ExecutionMethod, SuspiciousParent, SuspicionScore
| sort - _time

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate administrative use of forfiles.exe for batch file operations, directory traversal, or scheduled maintenance scripts (e.g., deleting files older than N days)
WSL (wsl.exe/bash.exe) activity from developers who legitimately use Linux tools and access the Windows filesystem via /mnt/c in their daily workflows
System compatibility infrastructure invoking pcalua.exe when users launch legacy applications that trigger Program Compatibility Assistant automatically
SSH client usage with ProxyCommand set in ~/.ssh/config for legitimate jump-host configurations or tunneling through bastion hosts
Scriptrunner.exe invoked by application shims during compatibility testing or software packaging processes

Elastic Security (EQL)

eql

sequence by host.id with maxspan=30s
  [process where event.type == "start" and
    process.name in~ ("forfiles.exe", "pcalua.exe", "scriptrunner.exe", "wsl.exe", "bash.exe", "ssh.exe") and
    (
      (process.name == "forfiles.exe" and process.args : ("/c", "/C")) or
      (process.name == "pcalua.exe" and process.args : ("-a", "-i")) or
      (process.name == "scriptrunner.exe" and process.args : ("-appcompat", "/appcompat", "*.exe", "*.bat", "*.ps1", "*.cmd")) or
      (process.name in~ ("wsl.exe", "bash.exe") and process.args : ("-e", "--exec", "-c", "cmd.exe", "powershell*", "/mnt/c*", "base64")) or
      (process.name == "ssh.exe" and process.args : ("*ProxyCommand*", "*LocalCommand*", "*PermitLocalCommand*"))
    )
  ] by process.pid
  [process where event.type == "start" and
    process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "msbuild.exe", "csc.exe")
  ] by process.parent.pid

high severity high confidence

Data Sources

Elastic Endpoint Winlogbeat with Sysmon Auditbeat

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Developers using WSL (wsl.exe/bash.exe) with PowerShell or cmd.exe for legitimate cross-environment scripting tasks
IT automation tools using forfiles.exe during scheduled maintenance or backup operations with /c flags
Security tools and vulnerability scanners using ssh.exe with ProxyCommand for tunneling through jump hosts

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  QIDNAME(qid) AS event_name,
  "ImageLoaded" AS process_image,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_image,
  sourceip,
  CASE
    WHEN LOWER("Image") LIKE '%forfiles.exe' THEN 'Forfiles'
    WHEN LOWER("Image") LIKE '%pcalua.exe' THEN 'PcaluaBypass'
    WHEN LOWER("Image") LIKE '%scriptrunner.exe' THEN 'Scriptrunner'
    WHEN LOWER("Image") LIKE '%wsl.exe' OR LOWER("Image") LIKE '%bash.exe' THEN 'WSL'
    WHEN LOWER("Image") LIKE '%ssh.exe' THEN 'SSH-ProxyCommand'
    ELSE 'Unknown'
  END AS execution_method
FROM events
WHERE LOGSOURCETYPEID = 12 AND devicetype = 12
  AND (LONG("EventID") = 1)
  AND (
    (LOWER("Image") LIKE '%forfiles.exe' AND (LOWER("CommandLine") LIKE '% /c %' OR LOWER("CommandLine") LIKE '% /c%'))
    OR (LOWER("Image") LIKE '%pcalua.exe' AND (LOWER("CommandLine") LIKE '% -a %' OR LOWER("CommandLine") LIKE '% -i %'))
    OR (LOWER("Image") LIKE '%scriptrunner.exe' AND (LOWER("CommandLine") LIKE '%-appcompat%' OR LOWER("CommandLine") LIKE '%.exe%' OR LOWER("CommandLine") LIKE '%.ps1%'))
    OR ((LOWER("Image") LIKE '%wsl.exe' OR LOWER("Image") LIKE '%bash.exe') AND (LOWER("CommandLine") LIKE '% -c %' OR LOWER("CommandLine") LIKE '%/mnt/c%' OR LOWER("CommandLine") LIKE '%cmd.exe%' OR LOWER("CommandLine") LIKE '%base64%'))
    OR (LOWER("Image") LIKE '%ssh.exe' AND (LOWER("CommandLine") LIKE '%proxycommand%' OR LOWER("CommandLine") LIKE '%localcommand%' OR LOWER("CommandLine") LIKE '%permitlocalcommand%'))
  )
ORDER BY starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Sysmon via Windows Event Log IBM QRadar SIEM Microsoft Windows DSM

Required Tables

events

False Positives

Administrators using forfiles.exe for legitimate batch file management or scheduled cleanup tasks
WSL power users running development workflows that invoke Windows binaries from Linux environment via /mnt/c paths
Enterprise SSH configurations using ProxyCommand for legitimate jump host or bastion access patterns

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=WinEvents/Sysmon
| where EventID = 1
| parse field=Message "Image: *" as Image nodrop
| parse field=Message "CommandLine: *" as CommandLine nodrop
| parse field=Message "ParentImage: *" as ParentImage nodrop
| parse field=Message "User: *" as User nodrop
| parse field=Message "Computer: *" as Computer nodrop
| eval Image = toLowerCase(Image)
| eval CommandLine = toLowerCase(CommandLine)
| eval ParentImage = toLowerCase(ParentImage)
| eval IsForfiles = if(matches(Image, ".*forfiles\.exe$") and (matches(CommandLine, ".*/c .*") or matches(CommandLine, ".*/c$")), 1, 0)
| eval IsPcalua = if(matches(Image, ".*pcalua\.exe$") and (matches(CommandLine, ".*-a .*") or matches(CommandLine, ".*-i .*")), 1, 0)
| eval IsScriptrunner = if(matches(Image, ".*scriptrunner\.exe$") and (matches(CommandLine, ".*-appcompat.*") or matches(CommandLine, ".*\.exe.*") or matches(CommandLine, ".*\.ps1.*") or matches(CommandLine, ".*\.bat.*")), 1, 0)
| eval IsWsl = if((matches(Image, ".*wsl\.exe$") or matches(Image, ".*bash\.exe$")) and (matches(CommandLine, ".* -c .*") or matches(CommandLine, ".*--exec.*") or matches(CommandLine, ".*/mnt/c.*") or matches(CommandLine, ".*cmd\.exe.*") or matches(CommandLine, ".*base64.*")), 1, 0)
| eval IsSshProxy = if(matches(Image, ".*ssh\.exe$") and (matches(CommandLine, ".*proxycommand.*") or matches(CommandLine, ".*localcommand.*") or matches(CommandLine, ".*permitlocalcommand.*")), 1, 0)
| eval ExecutionMethod = if(IsForfiles=1, "Forfiles", if(IsPcalua=1, "PcaluaBypass", if(IsScriptrunner=1, "Scriptrunner", if(IsWsl=1, "WSL", if(IsSshProxy=1, "SSH-ProxyCommand", null)))))
| where !isNull(ExecutionMethod)
| eval SuspiciousParent = if(matches(ParentImage, ".*(winword|excel|outlook|powerpnt|mshta|wscript|cscript|explorer|rundll32|regsvr32|msiexec)\.exe.*"), 1, 0)
| eval SuspicionScore = IsForfiles + IsPcalua + IsScriptrunner + IsWsl + IsSshProxy + SuspiciousParent
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ExecutionMethod, SuspiciousParent, SuspicionScore
| sort by _messageTime desc

high severity high confidence

Data Sources

Windows Sysmon via Sumo Logic Collector Sumo Logic Cloud SIEM

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=WinEvents/Sysmon

False Positives

Build servers or CI/CD pipelines using scriptrunner.exe or forfiles.exe as part of automated deployment scripts
Developers in WSL environments using bash.exe to interact with Windows file system via /mnt/c during normal development
Network engineers using ssh.exe with ProxyCommand configurations for legitimate multi-hop SSH tunneling to infrastructure

Google Chronicle / SecOps

yaral

rule t1202_indirect_command_execution {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects indirect command execution via forfiles, pcalua, scriptrunner, WSL, bash, or ssh.exe - MITRE ATT&CK T1202"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1202"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i)(forfiles\.exe|pcalua\.exe|scriptrunner\.exe|wsl\.exe|bash\.exe|ssh\.exe)$/
    (
      (
        $e.principal.process.file.full_path = /(?i)forfiles\.exe$/ and
        $e.target.process.command_line = /(?i)(\s/c\s|\s/C\s)/
      ) or
      (
        $e.principal.process.file.full_path = /(?i)pcalua\.exe$/ and
        $e.target.process.command_line = /(?i)(\s-a\s|\s-i\s)/
      ) or
      (
        $e.principal.process.file.full_path = /(?i)scriptrunner\.exe$/ and
        $e.target.process.command_line = /(?i)(-appcompat|\/appcompat|\.exe|\.bat|\.ps1|\.cmd)/
      ) or
      (
        $e.principal.process.file.full_path = /(?i)(wsl\.exe|bash\.exe)$/ and
        $e.target.process.command_line = /(?i)(\s-c\s|--exec|\/mnt\/c|cmd\.exe|powershell|base64|wget|curl)/
      ) or
      (
        $e.principal.process.file.full_path = /(?i)ssh\.exe$/ and
        $e.target.process.command_line = /(?i)(ProxyCommand|LocalCommand|PermitLocalCommand)/
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM Windows Event Logs via Chronicle forwarder Sysmon via Chronicle

Required Tables

UDM Events - PROCESS_LAUNCH

False Positives

Automated IT management scripts using forfiles.exe to process files by extension and execute maintenance commands in enterprise environments
WSL-based development toolchains that regularly call Windows binaries like cmd.exe or PowerShell from bash.exe during build processes
Red team or penetration testing tools that legitimately use SSH ProxyCommand for network pivot configurations during authorized engagements

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(forfiles\.exe|pcalua\.exe|scriptrunner\.exe|wsl\.exe|bash\.exe|ssh\.exe)$/
| case {
    ImageFileName = /(?i)forfiles\.exe$/ AND CommandLine = /(?i)(\s/c\s|\s/C\s)/ | ExecutionMethod := "Forfiles" ;
    ImageFileName = /(?i)pcalua\.exe$/ AND CommandLine = /(?i)(\s-a\s|\s-i\s)/ | ExecutionMethod := "PcaluaBypass" ;
    ImageFileName = /(?i)scriptrunner\.exe$/ AND CommandLine = /(?i)(-appcompat|\/appcompat|\.exe|\.bat|\.ps1|\.cmd)/ | ExecutionMethod := "Scriptrunner" ;
    ImageFileName = /(?i)(wsl\.exe|bash\.exe)$/ AND CommandLine = /(?i)(\s-c\s|--exec|\/mnt\/c|cmd\.exe|powershell|base64|wget|curl|ncat)/ | ExecutionMethod := "WSL" ;
    ImageFileName = /(?i)ssh\.exe$/ AND CommandLine = /(?i)(ProxyCommand|LocalCommand|PermitLocalCommand)/ | ExecutionMethod := "SSH-ProxyCommand" ;
  }
| ParentImageFileName = /(?i)(winword\.exe|excel\.exe|outlook\.exe|powerpnt\.exe|mshta\.exe|wscript\.exe|cscript\.exe|explorer\.exe|rundll32\.exe|regsvr32\.exe|msiexec\.exe)$/ 
  | SuspiciousParent := "true"
| table([_timeparsed, ComputerName, UserName, ImageFileName, CommandLine, ParentImageFileName, ParentCommandLine, ExecutionMethod, SuspiciousParent])
| sort(field=_timeparsed, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR Falcon ProcessRollup2 events CrowdStrike LogScale

Required Tables

ProcessRollup2

False Positives

Software deployment tools using forfiles.exe with /c parameter to perform file-based operations across directories during patch cycles
Containerized development environments using bash.exe or wsl.exe to bridge Windows and Linux toolchains, triggering on /mnt/c access patterns
IT security teams running authorized penetration tests using ssh.exe with ProxyCommand to simulate adversary lateral movement techniques

Indirect Command Execution

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Defense Evasion

Popular Detections