Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0576: Analytic 0576

Cause→effect chain: (1) A user or service launches an indirection utility (e.g., forfiles.exe, pcalua.exe, wsl.exe, scriptrunner.exe, ssh.exe with -o ProxyCommand/LocalCommand). (2) That utility spawns a secondary program/command (PowerShell, cmd, msiexec, regsvr32, curl, arbitrary EXE) and/or opens outbound network connections. (3) Optional precursor modification of SSH config to persist LocalCommand/ProxyCommand. Correlate process creation, command/script content, file access to %USERPROFILE%\.ssh\config, and network connections from the utility or its child.

EnterpriseAN0576AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about Windows utilities being used as launch points for other commands or outbound connections. The business significance is not the utility name itself, but the indirection: activity may appear to come from legitimate tools while the real intent is carried by a child process, script content, SSH configuration change, or network connection. Leaders should treat this as a coverage validation question for endpoint, network, and SOC correlation rather than a single-signature detection problem.

Executive priority

Prioritize this where Windows endpoints, administrative workstations, developer systems, or systems using SSH are important to business operations. The key decision value is whether the organization can prove it sees parent-child process chains, command content, SSH config access under user profiles, and outbound network activity from unusual utility-driven execution. This supports incident response readiness, audit evidence for monitoring controls, and better prioritization of endpoint logging and detection engineering work.

Technical view

Validate telemetry and analytics for Windows process creation where indirection utilities such as forfiles.exe, pcalua.exe, wsl.exe, scriptrunner.exe, or ssh.exe launch secondary programs such as PowerShell, cmd, msiexec, regsvr32, curl, or arbitrary executables. For ssh.exe, include command-line options such as ProxyCommand or LocalCommand and watch for precursor access or modification to %USERPROFILE%\.ssh\config. Correlate the parent utility, child process, command/script content, file access, and network connections from either the utility or its child process. Because no ATT&CK tactic or relationship context is supplied, local baselining is required to separate administrative or developer workflows from suspicious indirection.

Likely telemetry

  • Windows process creation events with parent-child process relationships
  • Command-line arguments and script or command content where available
  • File access or modification events for %USERPROFILE%\.ssh\config
  • Outbound network connection telemetry from the indirection utility and spawned child processes
  • Endpoint process-to-network correlation data

Detection direction

  • Confirm that detections do not only alert on the child tool; they should preserve the parent utility context and full command line.
  • Tune for unusual parent-child combinations involving listed indirection utilities spawning shells, installers, script interpreters, registration utilities, download tools, or arbitrary executables.
  • For ssh.exe, validate visibility into ProxyCommand and LocalCommand usage and correlate with recent SSH config file access or modification.
  • Baseline legitimate administrative, developer, and automation use of forfiles.exe, pcalua.exe, wsl.exe, scriptrunner.exe, and ssh.exe to reduce false positives.
  • Check blind spots where endpoint logging captures process names but not command line, file access, or network connections.

Mitigation priorities

  • Ensure Windows endpoint logging captures process creation, command-line arguments, file access, and process-linked network connections where policy allows.
  • Harden and monitor SSH client configuration locations under user profiles, especially where LocalCommand or ProxyCommand could change execution behavior.
  • Restrict unnecessary use of high-risk scripting, shell, installer, registration, and download utilities according to role and business need.
  • Use allowlisting or application control where feasible for tightly managed systems, while accounting for legitimate administrative and developer workflows.
  • Document monitoring coverage and response procedures so SOC and IR teams can quickly reconstruct the cause-to-effect chain described by the analytic.
Analyst notes and limits

This object is a detection analytic, not a technique entry. The supplied ATT&CK fields provide a clear cause-to-effect chain but no separate official detection text, tactics, or relationship context. Treat it as guidance for validating correlation logic across endpoint, file, command-line, and network evidence on Windows.

The source does not provide active exploitation claims, actor attribution, specific ATT&CK tactics, or related techniques. It also does not prove that any environment has coverage. Final severity, tuning, and response actions depend on local asset roles, legitimate administrative patterns, logging depth, and network visibility.

Official MITRE ATT&CK definition

Analytic 0576

Cause→effect chain: (1) A user or service launches an indirection utility (e.g., forfiles.exe, pcalua.exe, wsl.exe, scriptrunner.exe, ssh.exe with -o ProxyCommand/LocalCommand). (2) That utility spawns a secondary program/command (PowerShell, cmd, msiexec, regsvr32, curl, arbitrary EXE) and/or opens outbound network connections. (3) Optional precursor modification of SSH config to persist LocalCommand/ProxyCommand. Correlate process creation, command/script content, file access to %USERPROFILE%\.ssh\config, and network connections from the utility or its child.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f01b5e736fd1f068...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f01b5e736fd1…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0576
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use