Indirect Command Execution¶
Detect indirect command execution via Program Compatibility Assistant pcalua.exe
or forfiles.exe
.
id: | 884a7ccd-7305-4130-82d0-d4f90bc118b6 |
---|---|
categories: | hunt |
confidence: | medium |
os: | windows |
created: | 11/30/2018 |
updated: | 11/30/2018 |
MITRE ATT&CK™ Mapping¶
tactics: | Defense Evasion |
---|---|
techniques: | T1202 Indirect Command Execution |
Note
These processes can be used in legitimate scripts, so | unique_count
and | filter
are used to focus on outliers as opposed to commonly seen artifacts.
Query¶
process where subtype.create and
parent_process_name in ("pcalua.exe", "forfiles.exe")
| unique_count command_line, process_name
| filter count < 10