Detect Indirect Command Execution in Sumo Logic CSE
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd.exe directly. Tools such as Forfiles, the Program Compatibility Assistant (pcalua.exe), Windows Subsystem for Linux (WSL via wsl.exe or bash.exe), Scriptrunner.exe, and ssh.exe may invoke the execution of programs and commands from a scripting interpreter, Run window, or via scripts. Adversaries use these features for Defense Evasion, specifically to perform arbitrary execution while subverting detections and Group Policy controls that restrict cmd.exe usage or block certain file extensions. Real-world actors including Lazarus Group (forfiles for .htm execution), Revenge RAT (forfiles for command execution), and RedCurl (pcalua.exe for binary obfuscation) have demonstrated operational use of this technique.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1202 Indirect Command Execution
- Canonical reference
- https://attack.mitre.org/techniques/T1202/
Sumo Detection Query
_sourceCategory=windows/sysmon OR _sourceCategory=WinEvents/Sysmon
| where EventID = 1
| parse field=Message "Image: *" as Image nodrop
| parse field=Message "CommandLine: *" as CommandLine nodrop
| parse field=Message "ParentImage: *" as ParentImage nodrop
| parse field=Message "User: *" as User nodrop
| parse field=Message "Computer: *" as Computer nodrop
| eval Image = toLowerCase(Image)
| eval CommandLine = toLowerCase(CommandLine)
| eval ParentImage = toLowerCase(ParentImage)
| eval IsForfiles = if(matches(Image, ".*forfiles\.exe$") and (matches(CommandLine, ".*/c .*") or matches(CommandLine, ".*/c$")), 1, 0)
| eval IsPcalua = if(matches(Image, ".*pcalua\.exe$") and (matches(CommandLine, ".*-a .*") or matches(CommandLine, ".*-i .*")), 1, 0)
| eval IsScriptrunner = if(matches(Image, ".*scriptrunner\.exe$") and (matches(CommandLine, ".*-appcompat.*") or matches(CommandLine, ".*\.exe.*") or matches(CommandLine, ".*\.ps1.*") or matches(CommandLine, ".*\.bat.*")), 1, 0)
| eval IsWsl = if((matches(Image, ".*wsl\.exe$") or matches(Image, ".*bash\.exe$")) and (matches(CommandLine, ".* -c .*") or matches(CommandLine, ".*--exec.*") or matches(CommandLine, ".*/mnt/c.*") or matches(CommandLine, ".*cmd\.exe.*") or matches(CommandLine, ".*base64.*")), 1, 0)
| eval IsSshProxy = if(matches(Image, ".*ssh\.exe$") and (matches(CommandLine, ".*proxycommand.*") or matches(CommandLine, ".*localcommand.*") or matches(CommandLine, ".*permitlocalcommand.*")), 1, 0)
| eval ExecutionMethod = if(IsForfiles=1, "Forfiles", if(IsPcalua=1, "PcaluaBypass", if(IsScriptrunner=1, "Scriptrunner", if(IsWsl=1, "WSL", if(IsSshProxy=1, "SSH-ProxyCommand", null)))))
| where !isNull(ExecutionMethod)
| eval SuspiciousParent = if(matches(ParentImage, ".*(winword|excel|outlook|powerpnt|mshta|wscript|cscript|explorer|rundll32|regsvr32|msiexec)\.exe.*"), 1, 0)
| eval SuspicionScore = IsForfiles + IsPcalua + IsScriptrunner + IsWsl + IsSshProxy + SuspiciousParent
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ExecutionMethod, SuspiciousParent, SuspicionScore
| sort by _messageTime descSumo Logic query detecting T1202 indirect command execution via forfiles, pcalua, scriptrunner, WSL/bash, and ssh.exe with suspicion scoring based on process lineage.
Data Sources
Required Tables
False Positives & Tuning
- Build servers or CI/CD pipelines using scriptrunner.exe or forfiles.exe as part of automated deployment scripts
- Developers in WSL environments using bash.exe to interact with Windows file system via /mnt/c during normal development
- Network engineers using ssh.exe with ProxyCommand configurations for legitimate multi-hop SSH tunneling to infrastructure
Other platforms for T1202
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Forfiles Indirect Command Execution via cmd.exe
Expected signal: Sysmon Event ID 1: Process Create for forfiles.exe with CommandLine containing '/c cmd /c whoami'. Subsequent Sysmon Event ID 1: Process Create for cmd.exe with ParentImage=forfiles.exe. Sysmon Event ID 11: File Create for the output file in %TEMP%. Security Event ID 4688 (if command line auditing enabled) for both forfiles.exe and cmd.exe.
- Test 2Pcalua.exe Proxy Execution of Calculator (Binary Launch Bypass)
Expected signal: Sysmon Event ID 1: Process Create for pcalua.exe with CommandLine 'pcalua.exe -a calc.exe'. Sysmon Event ID 1: Process Create for calc.exe with ParentImage=pcalua.exe. Security Event ID 4688 for both processes. The parent-child relationship (pcalua → calc) is the key telemetry indicator.
- Test 3WSL Indirect Execution of Windows Binary via /mnt/c
Expected signal: Sysmon Event ID 1: Process Create for wsl.exe with CommandLine containing '-e /bin/sh -c cmd.exe'. Child process creation for cmd.exe or the shell spawned within WSL context. Sysmon Event ID 11: File Create for the output file at C:\Users\Public\. The wsl.exe parent attribution is the key telemetry.
- Test 4Forfiles Execute PowerShell Payload (Simulated Lazarus Group Pattern)
Expected signal: Sysmon Event ID 1: Process Create for forfiles.exe with CommandLine containing 'powershell.exe'. Subsequent Sysmon Event ID 1: Process Create for powershell.exe with ParentImage=forfiles.exe. PowerShell Script Block Logging Event ID 4104 showing the Get-Date command. Sysmon Event ID 11 for the output file.
- Test 5SSH.exe ProxyCommand Arbitrary Command Execution
Expected signal: Sysmon Event ID 1: Process Create for ssh.exe with CommandLine containing 'ProxyCommand' and 'cmd.exe'. Sysmon Event ID 1: Child process create for cmd.exe with ParentImage=ssh.exe. Sysmon Event ID 11: File Create for the output file. Network connection attempt Event ID 3 to localhost:22 (will fail). The ProxyCommand string in the SSH command line is the primary detection indicator.
References (13)
- https://attack.mitre.org/techniques/T1202/
- https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe
- https://x.com/vector_sec/status/896049052642533376
- https://x.com/Evi1cg/status/935027922397573120
- https://secureteam.co.uk/2023/01/08/windows-error-reporting-tool-abused-to-load-malware/
- https://www.bleepingcomputer.com/news/security/hackers-abuse-windows-error-reporting-tool-to-deploy-malware/
- https://ss64.com/nt/scriptrunner.html
- https://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/
- https://lolbas-project.github.io/lolbas/Binaries/Forfiles/
- https://lolbas-project.github.io/lolbas/Binaries/Pcalua/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
Unlock Pro Content
Get the full detection package for T1202 including response playbook, investigation guide, and atomic red team tests.