T1202 Microsoft Sentinel · KQL

Detect Indirect Command Execution in Microsoft Sentinel

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd.exe directly. Tools such as Forfiles, the Program Compatibility Assistant (pcalua.exe), Windows Subsystem for Linux (WSL via wsl.exe or bash.exe), Scriptrunner.exe, and ssh.exe may invoke the execution of programs and commands from a scripting interpreter, Run window, or via scripts. Adversaries use these features for Defense Evasion, specifically to perform arbitrary execution while subverting detections and Group Policy controls that restrict cmd.exe usage or block certain file extensions. Real-world actors including Lazarus Group (forfiles for .htm execution), Revenge RAT (forfiles for command execution), and RedCurl (pcalua.exe for binary obfuscation) have demonstrated operational use of this technique.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1202 Indirect Command Execution
Canonical reference
https://attack.mitre.org/techniques/T1202/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let IndirectExecutors = dynamic(["forfiles.exe", "pcalua.exe", "scriptrunner.exe", "wsl.exe", "bash.exe", "wscript.exe"]);
let SuspiciousChildProcesses = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "msbuild.exe", "csc.exe", "net.exe", "net1.exe", "sc.exe", "reg.exe"]);
// Detection 1: Forfiles used to execute commands indirectly
let ForfilesExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "forfiles.exe"
| where ProcessCommandLine has_any ("/c", "/C")
| where ProcessCommandLine has_any ("cmd", "powershell", "pwsh", "mshta", "wscript", "cscript", "rundll32", "regsvr32", "certutil", "bitsadmin", "/c ", "0x", "@path", "@file", "@fdate", "@ftime")
| extend ExecutionMethod = "Forfiles"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ExecutionMethod;
// Detection 2: pcalua.exe used for binary execution bypass
let PcaluaExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "pcalua.exe"
| where ProcessCommandLine has_any ("-a", "-i")
| extend ExecutionMethod = "PcaluaBypass"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ExecutionMethod;
// Detection 3: Scriptrunner.exe proxy execution
let ScriptrunnerExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "scriptrunner.exe"
| where ProcessCommandLine has_any ("-appcompat", "/appcompat", "-appcompatpath", ".exe", ".bat", ".ps1", ".cmd")
| extend ExecutionMethod = "Scriptrunner"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ExecutionMethod;
// Detection 4: WSL/bash used to execute Windows-facing commands or reach out
let WslExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("wsl.exe", "bash.exe")
| where ProcessCommandLine has_any ("-e ", "--exec", "-c ", "cmd.exe", "powershell", "net.exe", "curl", "wget", "nc", "ncat", "python", "/mnt/c", "/proc/", "base64")
| extend ExecutionMethod = "WSL"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ExecutionMethod;
// Detection 5: ssh.exe ProxyCommand / LocalCommand abuse
let SshExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "ssh.exe"
| where ProcessCommandLine has_any ("ProxyCommand", "LocalCommand", "-o ProxyCommand", "-o LocalCommand", "PermitLocalCommand")
| extend ExecutionMethod = "SSH-ProxyCommand"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ExecutionMethod;
// Union all detections
union ForfilesExec, PcaluaExec, ScriptrunnerExec, WslExec, SshExec
| sort by Timestamp desc
medium severity high confidence

Detects indirect command execution via commonly abused Windows LOLBins that proxy execution to bypass cmd.exe restrictions and Group Policy controls. Covers five primary vectors: (1) forfiles.exe with /c flag executing interpreters or encoded commands; (2) pcalua.exe (Program Compatibility Assistant) with -a/-i flags launching arbitrary executables; (3) scriptrunner.exe used as an AppCompat shim to proxy execution; (4) wsl.exe or bash.exe invoking Windows-side commands, curl/wget, or accessing Windows filesystem via /mnt/c; (5) ssh.exe abusing ProxyCommand or LocalCommand options for arbitrary command execution. Uses union across five targeted sub-queries for full coverage.

Data Sources

Process: Process CreationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • Legitimate administrative use of forfiles.exe for batch file operations, directory traversal, or scheduled maintenance scripts (e.g., deleting files older than N days)
  • WSL (wsl.exe/bash.exe) activity from developers who legitimately use Linux tools and access the Windows filesystem via /mnt/c in their daily workflows
  • System compatibility infrastructure invoking pcalua.exe when users launch legacy applications that trigger Program Compatibility Assistant automatically
  • SSH client usage with ProxyCommand set in ~/.ssh/config for legitimate jump-host configurations or tunneling through bastion hosts
  • Scriptrunner.exe invoked by application shims during compatibility testing or software packaging processes
Download portable Sigma rule (.yml)

Other platforms for T1202

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Forfiles Indirect Command Execution via cmd.exe

    Expected signal: Sysmon Event ID 1: Process Create for forfiles.exe with CommandLine containing '/c cmd /c whoami'. Subsequent Sysmon Event ID 1: Process Create for cmd.exe with ParentImage=forfiles.exe. Sysmon Event ID 11: File Create for the output file in %TEMP%. Security Event ID 4688 (if command line auditing enabled) for both forfiles.exe and cmd.exe.

  2. Test 2Pcalua.exe Proxy Execution of Calculator (Binary Launch Bypass)

    Expected signal: Sysmon Event ID 1: Process Create for pcalua.exe with CommandLine 'pcalua.exe -a calc.exe'. Sysmon Event ID 1: Process Create for calc.exe with ParentImage=pcalua.exe. Security Event ID 4688 for both processes. The parent-child relationship (pcalua → calc) is the key telemetry indicator.

  3. Test 3WSL Indirect Execution of Windows Binary via /mnt/c

    Expected signal: Sysmon Event ID 1: Process Create for wsl.exe with CommandLine containing '-e /bin/sh -c cmd.exe'. Child process creation for cmd.exe or the shell spawned within WSL context. Sysmon Event ID 11: File Create for the output file at C:\Users\Public\. The wsl.exe parent attribution is the key telemetry.

  4. Test 4Forfiles Execute PowerShell Payload (Simulated Lazarus Group Pattern)

    Expected signal: Sysmon Event ID 1: Process Create for forfiles.exe with CommandLine containing 'powershell.exe'. Subsequent Sysmon Event ID 1: Process Create for powershell.exe with ParentImage=forfiles.exe. PowerShell Script Block Logging Event ID 4104 showing the Get-Date command. Sysmon Event ID 11 for the output file.

  5. Test 5SSH.exe ProxyCommand Arbitrary Command Execution

    Expected signal: Sysmon Event ID 1: Process Create for ssh.exe with CommandLine containing 'ProxyCommand' and 'cmd.exe'. Sysmon Event ID 1: Child process create for cmd.exe with ParentImage=ssh.exe. Sysmon Event ID 11: File Create for the output file. Network connection attempt Event ID 3 to localhost:22 (will fail). The ProxyCommand string in the SSH command line is the primary detection indicator.

Last updated: 2026-04-19 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1202 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1059Command and Scripting InterpreterT1059.001PowerShellT1059.003Windows Command ShellT1218System Binary Proxy ExecutionT1218.011Rundll32T1027Obfuscated Files or InformationT1564Hide ArtifactsT1053.005Scheduled TaskT1105Ingress Tool TransferT1021.004SSH

Same Tactic: Defense Evasion

Popular Detections