Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0200: Indirect Command Execution – Windows utility abuse behavior chain

This detection strategy matters because it points defenders at a common evasion pattern: commands executed indirectly through legitimate Windows utilities...

EnterpriseDET0200Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because it points defenders at a common evasion pattern: commands executed indirectly through legitimate Windows utilities instead of obvious command-line interpreters such as cmd. For leaders, the risk is not the utility itself but the gap it can create in monitoring, response triage, and control assurance when security tooling only looks for direct shell execution.

Executive priority

Prioritize validation of Windows execution visibility and SOC playbooks for utility abuse. This is relevant to operational resilience and audit evidence because teams may believe command execution is controlled while alternate trusted utilities remain under-monitored. Security leaders should ask whether endpoint telemetry, detection engineering, and incident response procedures can explain when Windows utilities are being used for legitimate administration versus suspicious indirect execution.

Technical view

The supplied relationship says DET0200 detects ATT&CK T1202, Indirect Command Execution, in the enterprise domain, associated with the stealth tactic and Windows platform. SOC and detection teams should validate behavior-chain analytics that connect process creation, parent-child process relationships, command-line arguments, and known Windows utility execution patterns such as Forfiles, pcalua.exe, WSL components, or Scriptrunner.exe when those details are present in local telemetry. Because the official detection-strategy object has no description or detection text, implementation should be driven by local baselining and the related T1202 technique context rather than assumed MITRE-provided logic.

Likely telemetry

  • Windows process creation events with executable path, parent process, command line, user, host, and timestamp
  • Endpoint detection and response process lineage showing utility-to-child-process behavior
  • Script or utility execution logs where available for Windows administrative tooling
  • Authentication and user context around the initiating account
  • File and module execution context for Windows utilities when collected

Detection direction

  • Confirm that detections are not limited to cmd.exe or PowerShell and can identify command execution through alternate Windows utilities.
  • Build or validate analytics around unusual parent-child process chains, suspicious command-line arguments, and utility execution from unexpected users, hosts, or working directories.
  • Baseline legitimate administrative and software-management use of related utilities to reduce false positives.
  • Tune for behavior chains rather than single binary names where possible, because legitimate Windows utilities may be used in both benign and suspicious contexts.
  • Review blind spots where command-line capture, process lineage, or endpoint telemetry is absent or inconsistently retained.

Mitigation priorities

  • Start by ensuring endpoint visibility captures process creation and command-line context on Windows systems where this behavior is in scope.
  • Harden and monitor administrative use of Windows utilities that can execute commands, applying least privilege and approved administration paths where feasible.
  • Use application control or execution policy controls where business requirements allow, focusing on reducing unneeded indirect execution paths.
  • Document validated coverage and exceptions as compliance and incident-response evidence.
  • Periodically reassess detections against local administrative workflows so controls do not rely only on static utility names.
Analyst notes and limits

The ATT&CK detection-strategy object itself provides no official description, detection text, tactics, or platforms. The actionable context comes from its relationship to T1202, which describes adversary abuse of Windows utilities for indirect command execution and associates the technique with stealth. Treat this as a prompt for coverage validation rather than a complete detection specification.

This take is limited to the supplied STIX fields, external reference, and relationship context. It does not establish active exploitation, adversary attribution, specific impact, or guaranteed detection coverage. Local telemetry, asset roles, administrative practices, and control design are required to determine material risk and detection quality.

Official MITRE ATT&CK definition

Indirect Command Execution – Windows utility abuse behavior chain

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1202 Indirect Command Execution This object detects Indirect Command Execution.
Relationship explorer

All related ATT&CK context

detects · Technique T1202: Indirect Command Execution Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
9112178ac69bf8f7...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 9112178ac69b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0200
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use