DET0466: Detection of Script-Based Proxy Execution via Signed Microsoft Utilities
This detection strategy matters because it focuses on abuse of trusted, signed Microsoft script utilities to run other files. For leaders, the business iss...
Analyst context for executives and security teams
This detection strategy matters because it focuses on abuse of trusted, signed Microsoft script utilities to run other files. For leaders, the business issue is not the script itself, but whether trusted Windows components can be used to hide execution from application control, signature validation, or routine SOC triage. If this pathway is not monitored, an organization may overestimate the protection provided by allowlisting and signed-file trust decisions.
Executive priority
Prioritize this as a Windows execution and control-validation concern tied to ATT&CK T1216, System Script Proxy Execution. Security leaders should ask whether application control, endpoint monitoring, and incident response playbooks can distinguish normal administrative script use from trusted-script proxy execution. This is relevant to resilience and audit evidence because it tests whether controls built around signed Microsoft utilities are being validated against abuse cases, not just configured on paper.
Technical view
ATT&CK provides no standalone description, detection logic, platforms, or tactics for DET0466, but it explicitly detects T1216: System Script Proxy Execution. The related technique is Windows-focused and associated with stealth. SOC and detection teams should validate visibility into signed Microsoft scripts or utilities that launch, load, or proxy execution of other files, especially where the child activity is unusual for the host, user, path, or administrative workflow. IR teams should treat suspicious signed-script proxy behavior as a potential control-bypass indicator and pivot into parent/child process chains, script source, file provenance, and application-control decisions.
Likely telemetry
- Windows endpoint process creation events, including parent/child relationships and command-line arguments
- Script execution records where available
- File creation, download, and execution metadata for proxied payloads
- Code-signing and file reputation or certificate metadata for trusted scripts and executed files
- Application control or allowlisting decision logs
Detection direction
- Confirm whether monitoring captures signed Microsoft script utilities and the files they cause to execute, not just unsigned or obviously suspicious binaries.
- Correlate parent process, child process, command line, file path, signer, and user context to identify proxy execution patterns.
- Tune detections around deviations from normal administrative baselines, because legitimate signed scripts may be used in enterprise operations.
- Validate that allowlisting or signature-based controls generate usable logs when trusted scripts are permitted to launch other content.
- Review for blind spots where script telemetry, command-line logging, or application-control event collection is incomplete on Windows endpoints.
Mitigation priorities
- Inventory where signed Microsoft scripts and trusted utilities are relied upon for administrative workflows.
- Harden and monitor application control policies so trust in signed Microsoft components does not automatically imply trust in all proxied execution.
- Restrict unnecessary script execution paths where business operations allow.
- Ensure endpoint logging and retention are sufficient for incident reconstruction of proxy execution chains.
- Include this behavior in SOC validation and IR tabletop scenarios focused on bypass of allowlisting or signature-based trust.
Analyst notes and limits
The supplied ATT&CK object is a detection strategy with no official description or detection content. Its practical meaning comes from the relationship showing it detects T1216, System Script Proxy Execution, which describes adversary use of trusted, often signed Microsoft scripts to proxy execution of malicious files and potentially bypass application control or signature validation.
Platforms and tactics are not specified on DET0466 itself. Windows and stealth context come only from the related T1216 technique. Local environment baselines are required to determine which signed-script executions are normal, suspicious, or policy violations.
Detection of Script-Based Proxy Execution via Signed Microsoft Utilities
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1216 | System Script Proxy Execution | This object detects System Script Proxy Execution. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e14138f3d78f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0466Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.