Which SIEM platforms have a T1203 detection rule?

df00tech provides T1203 (Exploitation for Client Execution) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Exploitation for Client Execution (T1203)?

Detecting Exploitation for Client Execution requires the following data sources: Process: Process Creation, Microsoft Defender for Endpoint, Command: Command Execution.

What severity and confidence is the T1203 detection?

The T1203 detection is rated critical severity with high confidence.

What are common false positives for T1203?

Common false positives for T1203 include: Office macros legitimately launching PowerShell or cmd.exe for automation tasks (SCCM, IT scripts embedded in documents); Browser helper objects or extensions that spawn child processes for download handling or media playback; PDF readers launching external viewers or handlers for embedded attachments (e.g., opening an Excel file embedded in a PDF).

T1203

Exploitation for Client Execution

Execution Last updated: April 20, 2026

Adversaries may exploit software vulnerabilities in client applications to execute code. This includes browser-based exploitation via drive-by compromise or spearphishing links, Office application exploitation through malicious attachments (CVE-2017-11882, CVE-2017-0262, CVE-2021-40444), and third-party application exploitation (Adobe Reader, Flash). These exploits cause vulnerable client software to execute attacker-controlled code, often spawning unexpected child processes or injecting shellcode into memory.

What is T1203 Exploitation for Client Execution?

Exploitation for Client Execution (T1203) maps to the Execution tactic — the adversary is trying to run malicious code in MITRE ATT&CK.

This page provides production-ready detection logic for Exploitation for Client Execution, covering the data sources and telemetry it touches: Process: Process Creation, Microsoft Defender for Endpoint, Command: Command Execution. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Execution
Technique: T1203 Exploitation for Client Execution
Canonical reference: https://attack.mitre.org/techniques/T1203/

Microsoft Sentinel / Defender

kusto

let OfficeApps = dynamic(["winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "mspub.exe", "visio.exe", "onenote.exe", "msaccess.exe"]);
let BrowserApps = dynamic(["chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "opera.exe", "brave.exe"]);
let PDFApps = dynamic(["acrord32.exe", "acrobat.exe", "foxit reader.exe", "foxitpdfeditor.exe", "sumatrapdf.exe"]);
let SuspiciousChildren = dynamic([
  "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
  "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe",
  "msbuild.exe", "installutil.exe", "regasm.exe", "regsvcs.exe",
  "schtasks.exe", "at.exe", "wmic.exe", "msiexec.exe"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (OfficeApps)
      or InitiatingProcessFileName has_any (BrowserApps)
      or InitiatingProcessFileName has_any (PDFApps)
| where FileName has_any (SuspiciousChildren)
| extend ExploitVector = case(
    InitiatingProcessFileName has_any (OfficeApps), "Office Application",
    InitiatingProcessFileName has_any (BrowserApps), "Browser",
    InitiatingProcessFileName has_any (PDFApps), "PDF Reader",
    "Other"
  )
| extend HighRisk = FileName in~ ("powershell.exe", "pwsh.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "wscript.exe", "cscript.exe")
| project Timestamp, DeviceName, AccountName, ExploitVector,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         FileName, ProcessCommandLine, FolderPath, HighRisk,
         InitiatingProcessParentFileName
| sort by Timestamp desc

Detects client application exploitation by identifying suspicious child process spawning from Office applications, browsers, and PDF readers. Monitors for exploitation payloads including CVE-2017-11882 (Equation Editor), CVE-2021-40444 (MSHTML), and browser exploit chains that spawn cmd.exe, PowerShell, LOLBins, or scripting engines. Flags high-risk child processes for prioritization.

critical severity high confidence

Data Sources

Process: Process Creation Microsoft Defender for Endpoint Command: Command Execution

Required Tables

DeviceProcessEvents

False Positives

Office macros legitimately launching PowerShell or cmd.exe for automation tasks (SCCM, IT scripts embedded in documents)
Browser helper objects or extensions that spawn child processes for download handling or media playback
PDF readers launching external viewers or handlers for embedded attachments (e.g., opening an Excel file embedded in a PDF)
Equation Editor (eqnedt32.exe) being spawned during legitimate document rendering on older Office versions
Developer tools or IDE integrations within browsers that spawn terminal processes

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval ParentImageLower=lower(ParentImage)
| eval ImageLower=lower(Image)
| eval ExploitVector=case(
    match(ParentImageLower, "(winword|excel|powerpnt|outlook|mspub|visio|onenote|msaccess)\.exe"), "Office Application",
    match(ParentImageLower, "(chrome|firefox|msedge|iexplore|opera|brave)\.exe"), "Browser",
    match(ParentImageLower, "(acrord32|acrobat|foxit|sumatrapdf)\.exe"), "PDF Reader",
    match(ParentImageLower, "eqnedt32\.exe"), "Equation Editor",
    true(), "Other"
  )
| where ExploitVector!="Other"
| eval SuspiciousChild=if(match(ImageLower, "(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msbuild|installutil|regasm|regsvcs|schtasks|wmic|msiexec)\.exe"), 1, 0)
| where SuspiciousChild=1
| eval HighRisk=if(match(ImageLower, "(powershell|pwsh|mshta|regsvr32|rundll32|wscript|cscript)\.exe"), 1, 0)
| table _time, host, User, ExploitVector, ParentImage, ParentCommandLine, Image, CommandLine, CurrentDirectory, HighRisk
| sort - _time

Detects exploitation for client execution using Sysmon Event ID 1 (Process Creation). Identifies suspicious child processes spawned by Office applications, browsers, PDF readers, and Equation Editor. Flags processes commonly used in post-exploitation payloads. The ExploitVector field identifies the likely exploit delivery mechanism for faster analyst triage.

critical severity high confidence

Data Sources

Process: Process Creation Sysmon Event ID 1 Command: Command Execution

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Office macros legitimately launching PowerShell or cmd.exe for automation tasks
Browser integrations spawning helper processes for download handling or protocol handlers
PDF readers opening embedded Office documents that in turn spawn child processes
Equation Editor spawned during normal document rendering on unpatched Office installations
Developer tools or terminal integrations within browsers

Elastic Security (EQL)

eql

process where event.type == "start" and
  process.parent.name : (
    "winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe",
    "mspub.exe", "visio.exe", "onenote.exe", "msaccess.exe",
    "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe",
    "opera.exe", "brave.exe",
    "acrord32.exe", "acrobat.exe", "foxitpdfeditor.exe", "sumatrapdf.exe"
  ) and
  process.name : (
    "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
    "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe",
    "msbuild.exe", "installutil.exe", "regasm.exe", "regsvcs.exe",
    "schtasks.exe", "at.exe", "wmic.exe", "msiexec.exe"
  )

Detects T1203 Exploitation for Client Execution using Elastic EQL process lineage correlation. Identifies LOLBins, script interpreters, and high-risk living-off-the-land executables spawned as direct child processes of Office applications, web browsers, or PDF readers — covering drive-by browser compromise, malicious document exploitation (CVE-2017-11882, CVE-2021-40444), and third-party reader abuse. The parent-child EQL match ensures low false positive rates by requiring an exact process ancestry relationship rather than loose keyword matching.

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Module Filebeat Windows Event Log Module

Required Tables

logs-endpoint.events.process-* winlogbeat-* .ds-logs-endpoint.events.process-*

False Positives

Macro-enabled Office templates used by IT or finance teams that invoke cmd.exe or PowerShell for approved administrative automation such as report generation, data export, or SharePoint integration
Enterprise browser native messaging extensions (password managers, enterprise SSO bridges, or hardware token middleware) that spawn rundll32.exe or msiexec.exe during plugin installation or credential operations
PDF reader JavaScript actions in interactive enterprise forms that call certutil.exe or wscript.exe for certificate validation, base64 decoding, or document submission workflow processing

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  devicehostname AS Hostname,
  username AS User,
  CASE
    WHEN LOWER("ParentProcessPath") MATCHES '(?i).*(winword|excel|powerpnt|outlook|mspub|visio|onenote|msaccess)\.exe.*' THEN 'Office Application'
    WHEN LOWER("ParentProcessPath") MATCHES '(?i).*(chrome|firefox|msedge|iexplore|opera|brave)\.exe.*' THEN 'Browser'
    WHEN LOWER("ParentProcessPath") MATCHES '(?i).*(acrord32|acrobat|foxit|sumatrapdf)\.exe.*' THEN 'PDF Reader'
    ELSE 'Other'
  END AS ExploitVector,
  "ParentProcessPath",
  "ParentCommandLine",
  "ProcessPath",
  "CommandLine",
  CASE
    WHEN LOWER("ProcessPath") MATCHES '(?i).*(powershell|pwsh|mshta|regsvr32|rundll32|wscript|cscript)\.exe.*' THEN 'true'
    ELSE 'false'
  END AS HighRisk
FROM events
WHERE LOGSOURCETYPEID IN (12, 433)
  AND QIDNAME(qid) = 'Process Create'
  AND (
    LOWER("ParentProcessPath") MATCHES '(?i).*(winword|excel|powerpnt|outlook|mspub|visio|onenote|msaccess)\.exe.*'
    OR LOWER("ParentProcessPath") MATCHES '(?i).*(chrome|firefox|msedge|iexplore|opera|brave)\.exe.*'
    OR LOWER("ParentProcessPath") MATCHES '(?i).*(acrord32|acrobat|foxit|sumatrapdf)\.exe.*'
  )
  AND LOWER("ProcessPath") MATCHES '(?i).*(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msbuild|installutil|regasm|regsvcs|schtasks|wmic|msiexec)\.exe.*'
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC

IBM QRadar AQL query detecting T1203 client exploitation using Sysmon Process Create (Event ID 1) custom properties mapped via the Sysmon DSM. Correlates the ParentProcessPath custom property against known client application families (Office, browser, PDF reader) and ProcessPath against a curated LOLBin and script interpreter list. LOGSOURCETYPEID 12 covers WinCollect Windows Security and 433 covers Sysmon via Universal DSM. Requires ParentProcessPath and ProcessPath custom properties to be defined and extracted in QRadar's DSM Editor for the Sysmon log source.

high severity medium confidence

Data Sources

IBM QRadar SIEM Sysmon via WinCollect Agent Microsoft Windows Security Event Log DSM

Required Tables

events

False Positives

Business intelligence or finance team Office macros that legitimately call PowerShell or cmd.exe for scheduled report generation, SharePoint data sync, or ERP export automation
Enterprise GPO-deployed browser extensions that spawn msiexec.exe for silent component updates or DLP agent installation triggered by browser policy enforcement
PDF-based digital signing workflows in legal or compliance environments where Acrobat or Foxit calls certutil.exe for certificate chain validation during document signing

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*)
| where EventID = "1"
| parse regex field=ParentImage "(?i).*\\\\(?P<ParentImageName>[^\\\\]+)$" nodrop
| parse regex field=Image "(?i).*\\\\(?P<ChildImageName>[^\\\\]+)$" nodrop
| toLowerCase(ParentImageName) as ParentImageLower
| toLowerCase(ChildImageName) as ChildImageLower
| where ParentImageLower in ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "mspub.exe", "visio.exe", "onenote.exe", "msaccess.exe", "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "opera.exe", "brave.exe", "acrord32.exe", "acrobat.exe", "foxitpdfeditor.exe", "sumatrapdf.exe")
| where ChildImageLower in ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "msbuild.exe", "installutil.exe", "regasm.exe", "regsvcs.exe", "schtasks.exe", "at.exe", "wmic.exe", "msiexec.exe")
| if(ParentImageLower in ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "mspub.exe", "visio.exe", "onenote.exe", "msaccess.exe"), "Office Application", if(ParentImageLower in ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "opera.exe", "brave.exe"), "Browser", if(ParentImageLower in ("acrord32.exe", "acrobat.exe", "foxitpdfeditor.exe", "sumatrapdf.exe"), "PDF Reader", "Other"))) as ExploitVector
| if(ChildImageLower in ("powershell.exe", "pwsh.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "wscript.exe", "cscript.exe"), "true", "false") as HighRisk
| fields _messageTime, Computer, User, ExploitVector, ParentImageName, ParentCommandLine, ChildImageName, CommandLine, HighRisk
| sort by _messageTime desc

Sumo Logic search detecting T1203 client exploitation via Sysmon Event ID 1 (Process Create) logs. Extracts parent and child process base filenames from full image paths using regex named capture groups, then performs exact lowercase case-insensitive matching against Office, browser, and PDF reader application lists as parent processes and the LOLBin/script interpreter set as children. Classifies the exploit vector and flags high-risk child processes for analyst triage prioritization.

high severity high confidence

Data Sources

Sysmon for Windows via Sumo Logic Installed Collector Windows Event Log via Sumo Logic Hosted Collector

Required Tables

Sysmon Event ID 1 Process Create logs

False Positives

Legitimate Office macro automation used by business operations teams that invoke PowerShell or cmd.exe for data pipeline tasks, SharePoint integration, or ERP system interactions
Enterprise browser native messaging host configurations that spawn msiexec.exe or rundll32.exe for managed software deployment, smart card reader middleware, or DLP agent bridging
Interactive Acrobat or Foxit PDF forms in compliance or legal workflows that call wscript.exe or certutil.exe for document-level scripting and certificate authority verification

Google Chronicle / SecOps

yaral

rule t1203_client_exploitation_suspicious_child_spawn {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1203 Exploitation for Client Execution via LOLBins or script interpreters spawned by Office apps, browsers, or PDF readers"
    severity = "HIGH"
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1203"
    reference = "https://attack.mitre.org/techniques/T1203/"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    re.regex(
      $e.principal.process.file.full_path,
      `(?i)(winword|excel|powerpnt|outlook|mspub|visio|onenote|msaccess|chrome|firefox|msedge|iexplore|opera|brave|acrord32|acrobat|foxitpdfeditor|sumatrapdf)\.exe$`
    )
    re.regex(
      $e.target.process.file.full_path,
      `(?i)(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msbuild|installutil|regasm|regsvcs|schtasks|wmic|msiexec)\.exe$`
    )
    $hostname = $e.principal.hostname

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting T1203 exploitation using PROCESS_LAUNCH UDM events. Matches principal.process.file.full_path (the spawning parent application) against Office suite, web browser, and PDF reader application regexes, and target.process.file.full_path (the newly created process) against the LOLBin and script interpreter set. The principal/target UDM semantics enforce process lineage so the rule requires the client application to be the direct parent of the suspicious child process. Backtick regex strings in YARA-L are case-insensitive via the (?i) flag.

high severity high confidence

Data Sources

Google Chronicle SIEM Windows Endpoint via Chronicle Forwarder or BindPlane CrowdStrike Falcon via Chronicle integration Carbon Black via Chronicle integration

Required Tables

UDM Events with event_type PROCESS_LAUNCH

False Positives

Enterprise IT automation workflows where Office applications invoke PowerShell or cmd.exe via COM automation for managed endpoint deployment scripts, patch management, or inventory collection
Browser native messaging host integrations for enterprise SSO, hardware security key management, or privileged access management tools that spawn rundll32.exe or msiexec.exe for local middleware communication
Adobe Acrobat Pro or Foxit enterprise licensing scripts that invoke certutil.exe or wscript.exe during product activation, certificate-based authentication setup, or enterprise policy enforcement on managed desktops

CrowdStrike LogScale (CQL)

cql

#event_simpleName = ProcessRollup2
| ParentBaseFileName = /(?i)^(winword|excel|powerpnt|outlook|mspub|visio|onenote|msaccess|chrome|firefox|msedge|iexplore|opera|brave|acrord32|acrobat|foxitpdfeditor|sumatrapdf)\.exe$/
| FileName = /(?i)^(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msbuild|installutil|regasm|regsvcs|schtasks|wmic|msiexec)\.exe$/
| ExploitVector := case {
    ParentBaseFileName = /(?i)(winword|excel|powerpnt|outlook|mspub|visio|onenote|msaccess)\.exe/ => "Office Application";
    ParentBaseFileName = /(?i)(chrome|firefox|msedge|iexplore|opera|brave)\.exe/ => "Browser";
    ParentBaseFileName = /(?i)(acrord32|acrobat|foxit|sumatrapdf)\.exe/ => "PDF Reader";
    * => "Other"
  }
| HighRisk := if(FileName = /(?i)(powershell|pwsh|mshta|regsvr32|rundll32|wscript|cscript)\.exe$/, "true", "false")
| select([_time, ComputerName, UserName, ExploitVector, ParentBaseFileName, ParentCommandLine, FileName, CommandLine, TargetProcessId, ContextProcessId, HighRisk])
| sort(field=_time, order=desc)

CrowdStrike LogScale (Falcon) CQL query detecting T1203 client exploitation using ProcessRollup2 Falcon sensor events. Matches ParentBaseFileName (the direct parent process, a client application) against Office suite, browser, and PDF reader families, and FileName (the spawned child) against LOLBins and script interpreters. ProcessRollup2 events include accurate parent-child process lineage from kernel-level telemetry. ExploitVector classification and HighRisk flag support analyst triage prioritization in Falcon Investigate or LogScale dashboards.

high severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike Falcon LogScale (Humio)

Required Tables

ProcessRollup2 Falcon telemetry event stream

False Positives

Helpdesk or RMM tool automation that uses Office COM interop to remotely invoke PowerShell or cmd.exe for managed endpoint diagnostics, software inventory, or configuration remediation on corporate workstations
Enterprise browser extensions designed for privileged access management, hardware security key authentication, or smart card middleware that launch rundll32.exe to communicate with local PKCS11 or CCID drivers
Adobe Acrobat Pro or Foxit enterprise license management and activation scripts that call certutil.exe or wscript.exe during seat management, certificate-based DRM enforcement, or volume license renewal tasks

Sigma rule & cross-platform mapping

The detection logic for Exploitation for Client Execution (T1203) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1203 Sigma rules on detection.fyi

Platform-specific guides for T1203

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-20 Research depth: deep

References (7)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Simulate Office Exploitation — Equation Editor Child Process
Expected signal: Sysmon Event ID 1: Process Create with ParentImage containing eqnedt32.exe and Image=cmd.exe. Security Event ID 4688 with similar parent/child relationship if command line auditing enabled.
Test 2Office Application Spawning PowerShell via Macro Simulation
Expected signal: Sysmon Event ID 1: Process Create chain showing cmd.exe spawning powershell.exe. The detection focuses on the child process spawning pattern. PowerShell ScriptBlock Log Event ID 4104 will record the Write-Output command.
Test 3Browser Renderer Process Spawning Cmd
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with subsequent net.exe and whoami.exe child processes. This represents the reconnaissance commands commonly executed immediately following successful browser exploitation.
Test 4Mshta Spawned from Office Context (CVE-2021-40444 Pattern)
Expected signal: Sysmon Event ID 1: Process Create for mshta.exe. In real exploitation this process would have a parent of winword.exe or excel.exe. Security Event ID 4688 will also record the mshta.exe launch with command line arguments.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1203 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Exploitation for Client Execution

What is T1203 Exploitation for Client Execution?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1203

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Execution

Popular Detections

What is T1203 Exploitation for Client Execution?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1203

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Execution

Popular Detections

Get new detections in your inbox