DET0466 Detection of Script-Based Proxy Execution via Signed Microsoft Utilities

Item	Value
ID	DET0466
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1216 (System Script Proxy Execution)

Analytics

Windows

AN1288

Execution of Microsoft-signed scripts (e.g., pubprn.vbs, installutil.exe, wscript.exe, cscript.exe) used to proxy execution of untrusted or external binaries. Behavior is detected through command-line process lineage, child process spawning, and unsigned payload execution from signed parent.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Command Execution (DC0064)	WinEventLog:PowerShell	EventCode=4103, 4104, 4105, 4106
Module Load (DC0016)	WinEventLog:Sysmon	EventCode=7
Process Access (DC0035)	WinEventLog:Sysmon	EventCode=10
File Creation (DC0039)	WinEventLog:Sysmon	EventCode=11

Mutable Elements

Field	Description
ParentProcessName	Environment-specific paths to script interpreters like wscript.exe, cscript.exe, pubprn.vbs, or installutil.exe.
TimeWindow	Time delta between signed script execution and suspicious child process creation.
ChildCommandLineRegex	Regex pattern used to detect malicious payload execution (e.g., download cradle, PowerShell decode).
SignedToUnsignedTransition	Indicates whether the parent is signed by Microsoft but child is unsigned or unknown.