Indirect Command Execution¶
Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe.
| id: | 884a7ccd-7305-4130-82d0-d4f90bc118b6 |
|---|---|
| categories: | hunt |
| confidence: | medium |
| os: | windows |
| created: | 11/30/2018 |
| updated: | 11/30/2018 |
MITRE ATT&CK™ Mapping¶
| tactics: | Defense Evasion |
|---|---|
| techniques: | T1202 Indirect Command Execution |
Note
These processes can be used in legitimate scripts, so | unique_count and | filter are used to focus on outliers as opposed to commonly seen artifacts.
Query¶
process where subtype.create and
parent_process_name in ("pcalua.exe", "forfiles.exe")
| unique_count command_line, process_name
| filter count < 10