Skip to content

DET0200 Indirect Command Execution – Windows utility abuse behavior chain

Item Value
ID DET0200
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1202 (Indirect Command Execution)

Analytics

Windows

AN0576

Cause→effect chain: (1) A user or service launches an indirection utility (e.g., forfiles.exe, pcalua.exe, wsl.exe, scriptrunner.exe, ssh.exe with -o ProxyCommand/LocalCommand). (2) That utility spawns a secondary program/command (PowerShell, cmd, msiexec, regsvr32, curl, arbitrary EXE) and/or opens outbound network connections. (3) Optional precursor modification of SSH config to persist LocalCommand/ProxyCommand. Correlate process creation, command/script content, file access to %USERPROFILE%.ssh\config, and network connections from the utility or its child.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Mutable Elements
Field Description
TimeWindow Correlation window between indirect launcher and spawned child/network activity (e.g., 10–30 minutes).
AllowedUtilities Utilities permitted on admin/Jumphosts (forfiles, wsl, ssh) to reduce noise.
HighRiskChildren Child images that indicate abuse (powershell.exe, cmd.exe, rundll32.exe, regsvr32.exe, mshta.exe, msiexec.exe, curl.exe, bitsadmin.exe).
UserContext Raise severity when the actor is a standard/interactive user on a workstation rather than a server or CI agent.
DestCIDRs Known-good egress networks for SSH/WSL activity to suppress expected admin automations.