T1203 Exploitation for Client Execution Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let OfficeApps = dynamic(["winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "mspub.exe", "visio.exe", "onenote.exe", "msaccess.exe"]);
let BrowserApps = dynamic(["chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "opera.exe", "brave.exe"]);
let PDFApps = dynamic(["acrord32.exe", "acrobat.exe", "foxit reader.exe", "foxitpdfeditor.exe", "sumatrapdf.exe"]);
let SuspiciousChildren = dynamic([
  "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
  "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe",
  "msbuild.exe", "installutil.exe", "regasm.exe", "regsvcs.exe",
  "schtasks.exe", "at.exe", "wmic.exe", "msiexec.exe"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (OfficeApps)
      or InitiatingProcessFileName has_any (BrowserApps)
      or InitiatingProcessFileName has_any (PDFApps)
| where FileName has_any (SuspiciousChildren)
| extend ExploitVector = case(
    InitiatingProcessFileName has_any (OfficeApps), "Office Application",
    InitiatingProcessFileName has_any (BrowserApps), "Browser",
    InitiatingProcessFileName has_any (PDFApps), "PDF Reader",
    "Other"
  )
| extend HighRisk = FileName in~ ("powershell.exe", "pwsh.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "wscript.exe", "cscript.exe")
| project Timestamp, DeviceName, AccountName, ExploitVector,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         FileName, ProcessCommandLine, FolderPath, HighRisk,
         InitiatingProcessParentFileName
| sort by Timestamp desc

critical severity high confidence

Data Sources

Process: Process Creation Microsoft Defender for Endpoint Command: Command Execution

Required Tables

DeviceProcessEvents

False Positives

Office macros legitimately launching PowerShell or cmd.exe for automation tasks (SCCM, IT scripts embedded in documents)
Browser helper objects or extensions that spawn child processes for download handling or media playback
PDF readers launching external viewers or handlers for embedded attachments (e.g., opening an Excel file embedded in a PDF)
Equation Editor (eqnedt32.exe) being spawned during legitimate document rendering on older Office versions
Developer tools or IDE integrations within browsers that spawn terminal processes

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval ParentImageLower=lower(ParentImage)
| eval ImageLower=lower(Image)
| eval ExploitVector=case(
    match(ParentImageLower, "(winword|excel|powerpnt|outlook|mspub|visio|onenote|msaccess)\.exe"), "Office Application",
    match(ParentImageLower, "(chrome|firefox|msedge|iexplore|opera|brave)\.exe"), "Browser",
    match(ParentImageLower, "(acrord32|acrobat|foxit|sumatrapdf)\.exe"), "PDF Reader",
    match(ParentImageLower, "eqnedt32\.exe"), "Equation Editor",
    true(), "Other"
  )
| where ExploitVector!="Other"
| eval SuspiciousChild=if(match(ImageLower, "(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msbuild|installutil|regasm|regsvcs|schtasks|wmic|msiexec)\.exe"), 1, 0)
| where SuspiciousChild=1
| eval HighRisk=if(match(ImageLower, "(powershell|pwsh|mshta|regsvr32|rundll32|wscript|cscript)\.exe"), 1, 0)
| table _time, host, User, ExploitVector, ParentImage, ParentCommandLine, Image, CommandLine, CurrentDirectory, HighRisk
| sort - _time

critical severity high confidence

Data Sources

Process: Process Creation Sysmon Event ID 1 Command: Command Execution

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Office macros legitimately launching PowerShell or cmd.exe for automation tasks
Browser integrations spawning helper processes for download handling or protocol handlers
PDF readers opening embedded Office documents that in turn spawn child processes
Equation Editor spawned during normal document rendering on unpatched Office installations
Developer tools or terminal integrations within browsers

Elastic Security (EQL)

eql

process where event.type == "start" and
  process.parent.name : (
    "winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe",
    "mspub.exe", "visio.exe", "onenote.exe", "msaccess.exe",
    "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe",
    "opera.exe", "brave.exe",
    "acrord32.exe", "acrobat.exe", "foxitpdfeditor.exe", "sumatrapdf.exe"
  ) and
  process.name : (
    "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
    "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe",
    "msbuild.exe", "installutil.exe", "regasm.exe", "regsvcs.exe",
    "schtasks.exe", "at.exe", "wmic.exe", "msiexec.exe"
  )

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Module Filebeat Windows Event Log Module

Required Tables

logs-endpoint.events.process-* winlogbeat-* .ds-logs-endpoint.events.process-*

False Positives

Macro-enabled Office templates used by IT or finance teams that invoke cmd.exe or PowerShell for approved administrative automation such as report generation, data export, or SharePoint integration
Enterprise browser native messaging extensions (password managers, enterprise SSO bridges, or hardware token middleware) that spawn rundll32.exe or msiexec.exe during plugin installation or credential operations
PDF reader JavaScript actions in interactive enterprise forms that call certutil.exe or wscript.exe for certificate validation, base64 decoding, or document submission workflow processing

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  devicehostname AS Hostname,
  username AS User,
  CASE
    WHEN LOWER("ParentProcessPath") MATCHES '(?i).*(winword|excel|powerpnt|outlook|mspub|visio|onenote|msaccess)\.exe.*' THEN 'Office Application'
    WHEN LOWER("ParentProcessPath") MATCHES '(?i).*(chrome|firefox|msedge|iexplore|opera|brave)\.exe.*' THEN 'Browser'
    WHEN LOWER("ParentProcessPath") MATCHES '(?i).*(acrord32|acrobat|foxit|sumatrapdf)\.exe.*' THEN 'PDF Reader'
    ELSE 'Other'
  END AS ExploitVector,
  "ParentProcessPath",
  "ParentCommandLine",
  "ProcessPath",
  "CommandLine",
  CASE
    WHEN LOWER("ProcessPath") MATCHES '(?i).*(powershell|pwsh|mshta|regsvr32|rundll32|wscript|cscript)\.exe.*' THEN 'true'
    ELSE 'false'
  END AS HighRisk
FROM events
WHERE LOGSOURCETYPEID IN (12, 433)
  AND QIDNAME(qid) = 'Process Create'
  AND (
    LOWER("ParentProcessPath") MATCHES '(?i).*(winword|excel|powerpnt|outlook|mspub|visio|onenote|msaccess)\.exe.*'
    OR LOWER("ParentProcessPath") MATCHES '(?i).*(chrome|firefox|msedge|iexplore|opera|brave)\.exe.*'
    OR LOWER("ParentProcessPath") MATCHES '(?i).*(acrord32|acrobat|foxit|sumatrapdf)\.exe.*'
  )
  AND LOWER("ProcessPath") MATCHES '(?i).*(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msbuild|installutil|regasm|regsvcs|schtasks|wmic|msiexec)\.exe.*'
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM Sysmon via WinCollect Agent Microsoft Windows Security Event Log DSM

Required Tables

events

False Positives

Business intelligence or finance team Office macros that legitimately call PowerShell or cmd.exe for scheduled report generation, SharePoint data sync, or ERP export automation
Enterprise GPO-deployed browser extensions that spawn msiexec.exe for silent component updates or DLP agent installation triggered by browser policy enforcement
PDF-based digital signing workflows in legal or compliance environments where Acrobat or Foxit calls certutil.exe for certificate chain validation during document signing

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*)
| where EventID = "1"
| parse regex field=ParentImage "(?i).*\\\\(?P<ParentImageName>[^\\\\]+)$" nodrop
| parse regex field=Image "(?i).*\\\\(?P<ChildImageName>[^\\\\]+)$" nodrop
| toLowerCase(ParentImageName) as ParentImageLower
| toLowerCase(ChildImageName) as ChildImageLower
| where ParentImageLower in ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "mspub.exe", "visio.exe", "onenote.exe", "msaccess.exe", "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "opera.exe", "brave.exe", "acrord32.exe", "acrobat.exe", "foxitpdfeditor.exe", "sumatrapdf.exe")
| where ChildImageLower in ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "msbuild.exe", "installutil.exe", "regasm.exe", "regsvcs.exe", "schtasks.exe", "at.exe", "wmic.exe", "msiexec.exe")
| if(ParentImageLower in ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "mspub.exe", "visio.exe", "onenote.exe", "msaccess.exe"), "Office Application", if(ParentImageLower in ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "opera.exe", "brave.exe"), "Browser", if(ParentImageLower in ("acrord32.exe", "acrobat.exe", "foxitpdfeditor.exe", "sumatrapdf.exe"), "PDF Reader", "Other"))) as ExploitVector
| if(ChildImageLower in ("powershell.exe", "pwsh.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "wscript.exe", "cscript.exe"), "true", "false") as HighRisk
| fields _messageTime, Computer, User, ExploitVector, ParentImageName, ParentCommandLine, ChildImageName, CommandLine, HighRisk
| sort by _messageTime desc

high severity high confidence

Data Sources

Sysmon for Windows via Sumo Logic Installed Collector Windows Event Log via Sumo Logic Hosted Collector

Required Tables

Sysmon Event ID 1 Process Create logs

False Positives

Legitimate Office macro automation used by business operations teams that invoke PowerShell or cmd.exe for data pipeline tasks, SharePoint integration, or ERP system interactions
Enterprise browser native messaging host configurations that spawn msiexec.exe or rundll32.exe for managed software deployment, smart card reader middleware, or DLP agent bridging
Interactive Acrobat or Foxit PDF forms in compliance or legal workflows that call wscript.exe or certutil.exe for document-level scripting and certificate authority verification

Google Chronicle / SecOps

yaral

rule t1203_client_exploitation_suspicious_child_spawn {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1203 Exploitation for Client Execution via LOLBins or script interpreters spawned by Office apps, browsers, or PDF readers"
    severity = "HIGH"
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1203"
    reference = "https://attack.mitre.org/techniques/T1203/"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    re.regex(
      $e.principal.process.file.full_path,
      `(?i)(winword|excel|powerpnt|outlook|mspub|visio|onenote|msaccess|chrome|firefox|msedge|iexplore|opera|brave|acrord32|acrobat|foxitpdfeditor|sumatrapdf)\.exe$`
    )
    re.regex(
      $e.target.process.file.full_path,
      `(?i)(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msbuild|installutil|regasm|regsvcs|schtasks|wmic|msiexec)\.exe$`
    )
    $hostname = $e.principal.hostname

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Windows Endpoint via Chronicle Forwarder or BindPlane CrowdStrike Falcon via Chronicle integration Carbon Black via Chronicle integration

Required Tables

UDM Events with event_type PROCESS_LAUNCH

False Positives

Enterprise IT automation workflows where Office applications invoke PowerShell or cmd.exe via COM automation for managed endpoint deployment scripts, patch management, or inventory collection
Browser native messaging host integrations for enterprise SSO, hardware security key management, or privileged access management tools that spawn rundll32.exe or msiexec.exe for local middleware communication
Adobe Acrobat Pro or Foxit enterprise licensing scripts that invoke certutil.exe or wscript.exe during product activation, certificate-based authentication setup, or enterprise policy enforcement on managed desktops

CrowdStrike LogScale (CQL)

cql

#event_simpleName = ProcessRollup2
| ParentBaseFileName = /(?i)^(winword|excel|powerpnt|outlook|mspub|visio|onenote|msaccess|chrome|firefox|msedge|iexplore|opera|brave|acrord32|acrobat|foxitpdfeditor|sumatrapdf)\.exe$/
| FileName = /(?i)^(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msbuild|installutil|regasm|regsvcs|schtasks|wmic|msiexec)\.exe$/
| ExploitVector := case {
    ParentBaseFileName = /(?i)(winword|excel|powerpnt|outlook|mspub|visio|onenote|msaccess)\.exe/ => "Office Application";
    ParentBaseFileName = /(?i)(chrome|firefox|msedge|iexplore|opera|brave)\.exe/ => "Browser";
    ParentBaseFileName = /(?i)(acrord32|acrobat|foxit|sumatrapdf)\.exe/ => "PDF Reader";
    * => "Other"
  }
| HighRisk := if(FileName = /(?i)(powershell|pwsh|mshta|regsvr32|rundll32|wscript|cscript)\.exe$/, "true", "false")
| select([_time, ComputerName, UserName, ExploitVector, ParentBaseFileName, ParentCommandLine, FileName, CommandLine, TargetProcessId, ContextProcessId, HighRisk])
| sort(field=_time, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike Falcon LogScale (Humio)

Required Tables

ProcessRollup2 Falcon telemetry event stream

False Positives

Helpdesk or RMM tool automation that uses Office COM interop to remotely invoke PowerShell or cmd.exe for managed endpoint diagnostics, software inventory, or configuration remediation on corporate workstations
Enterprise browser extensions designed for privileged access management, hardware security key authentication, or smart card middleware that launch rundll32.exe to communicate with local PKCS11 or CCID drivers
Adobe Acrobat Pro or Foxit enterprise license management and activation scripts that call certutil.exe or wscript.exe during seat management, certificate-based DRM enforcement, or volume license renewal tasks

Exploitation for Client Execution

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Execution

Popular Detections