This detection rule aims to identify indirect command execution techniques utilized by adversaries, specifically through commonly available tools such as 'forfiles', 'fodhelper', 'ftp', and 'pcalua'. These processes are typically not restricted and can be exploited by threat actors like Andariel and APT28 to execute commands without engaging the traditional command line interface (cmd). The rule leverages Splunk’s endpoint data collection, applying regex to filter out specific parent process names associated with these tools. The detection logic generates a summarized output table by recording the time, host, user, and various process details, thereby allowing analysts to recognize potentially malicious activities occurring through these indirect means. The use of EDR logs is critical for this detection as it provides visibility into the execution of processes in real-time and can highlight abnormal behavior that indicates abuse of privileges and evasion techniques. The referenced atomic tests outline practical examples of how these techniques can be executed, enhancing awareness and detection capabilities against such tactics.