title: Indirect Command Execution
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019/10/24
description: Detect indirect command execution via Program Compatibility Assistant
  (pcalua.exe or forfiles.exe).
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    ParentImage:
    - '*\pcalua.exe'
    - '*\forfiles.exe'
  condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Need to use extra processing with 'unique_count' / 'filter' to focus on outliers
  as opposed to commonly seen artifacts.
- Legitimate usage of scripts.
fields:
- ComputerName
- User
- ParentCommandLine
- CommandLine
id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
level: low
logsource:
  category: process_creation
  product: windows
modified: 2019/11/11
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md
- https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html
status: experimental
tags:
- attack.defense_evasion
- attack.t1202
ruletype: SIGMA