T1204

User Execution

Adversaries rely on specific actions by a user to gain execution. Users are subjected to social engineering to execute malicious code by opening malicious document files, clicking links, running copy-pasted commands, or installing remote access tools under false pretenses. This technique frequently follows phishing (T1566) and encompasses a wide range of deceptive methods including malicious Office documents spawning shells, fake CAPTCHAs instructing users to paste PowerShell into Run dialogs (ClickFix/ClearFake), tech support scams prompting RAT installation, and malicious LNK files on removable media. Threat groups including Scattered Spider, LAPSUS$, and malware families like Lumma Stealer and Raspberry Robin rely heavily on user-initiated execution to bypass automated defenses.

Microsoft Sentinel / Defender

kusto

let OfficeAndDocApps = dynamic([
  "WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "OUTLOOK.EXE",
  "MSPUB.EXE", "ONENOTE.EXE", "VISIO.EXE",
  "acrord32.exe", "acrobat.exe", "foxitreader.exe",
  "chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "opera.exe"
]);
let ShellInterpreters = dynamic([
  "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe",
  "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe",
  "certutil.exe", "bitsadmin.exe"
]);
let RATBinaries = dynamic([
  "anydesk.exe", "teamviewer.exe", "screenconnect.exe",
  "connectwisecontrol.exe", "splashtopstreamer.exe", "ultraviewer.exe",
  "rustdesk.exe", "supremo.exe", "ammyy admin.exe", "radmin.exe",
  "atera_agent.exe", "level.exe", "fleetdeck.exe", "netsupport.exe"
]);
let UserWritablePaths = dynamic([
  "\\Downloads\\", "\\Desktop\\",
  "\\AppData\\Local\\Temp\\", "\\Users\\Public\\",
  "\\AppData\\Roaming\\"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| extend IsOfficeOrBrowserParent = InitiatingProcessFileName has_any (OfficeAndDocApps)
| extend IsShellChild = FileName has_any (ShellInterpreters)
| extend IsRATExecution = FileName has_any (RATBinaries)
| extend IsUserDirExec = FolderPath has_any (UserWritablePaths)
    and FileName endswith ".exe"
    and InitiatingProcessFileName =~ "explorer.exe"
// Exclude common legitimate browser-spawned updaters
| where not (
    IsUserDirExec
    and FileName in~ ("OneDriveSetup.exe", "Teams.exe", "Slack.exe",
                      "Zoom.exe", "update.exe", "setup.exe")
  )
| extend OfficeShellSpawn = IsOfficeOrBrowserParent and IsShellChild
| where OfficeShellSpawn or IsRATExecution or IsUserDirExec
| extend DetectionCategory = case(
    OfficeShellSpawn, "Office/Browser Shell Spawn",
    IsRATExecution, "Remote Access Tool Execution (Possible Social Engineering)",
    "Executable Launched from User-Writable Directory"
  )
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
          ProcessCommandLine, InitiatingProcessFileName,
          InitiatingProcessCommandLine, DetectionCategory
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate IT-deployed remote access tools (AnyDesk, TeamViewer, ScreenConnect) installed by helpdesk staff — these should appear with MSI/SCCM parent processes rather than browsers or explorer.exe
Developers running scripts directly from their Downloads or Desktop folder — allowlist known developer workstations or specific AccountNames with documented exceptions
Office macros used by finance or operations teams for legitimate automation — document and allowlist specific macro-enabled workbooks and the user accounts that run them
Browser-spawned update helpers or credential managers that briefly launch from AppData\Roaming — build a baseline of expected binaries per application

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval ParentImageLower=lower(ParentImage)
| eval ImageLower=lower(Image)
| eval CommandLineLower=lower(CommandLine)
| eval FolderPath=lower(replace(Image, "[^\\\\/]+$", ""))
| eval IsOfficeOrBrowserParent=if(
    match(ParentImageLower,
      "(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|mspub\.exe|onenote\.exe|visio\.exe|acrord32\.exe|acrobat\.exe|foxitreader\.exe|chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe)"),
    1, 0)
| eval IsShellChild=if(
    match(ImageLower,
      "(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe)"),
    1, 0)
| eval IsRATExecution=if(
    match(ImageLower,
      "(anydesk\.exe|teamviewer\.exe|screenconnect\.exe|connectwisecontrol\.exe|splashtopstreamer\.exe|ultraviewer\.exe|rustdesk\.exe|supremo\.exe|radmin\.exe|atera_agent\.exe|netsupport\.exe)"),
    1, 0)
| eval IsUserDirExec=if(
    match(lower(Image), "(\\\\downloads\\\\|\\\\desktop\\\\|\\\\appdata\\\\local\\\\temp\\\\|\\\\users\\\\public\\\\|\\\\appdata\\\\roaming\\\\)")
    AND match(ImageLower, "\.exe$")
    AND match(ParentImageLower, "explorer\.exe"),
    1, 0)
| eval OfficeShellSpawn=if(IsOfficeOrBrowserParent=1 AND IsShellChild=1, 1, 0)
| where OfficeShellSpawn=1 OR IsRATExecution=1 OR IsUserDirExec=1
| eval DetectionCategory=case(
    OfficeShellSpawn=1, "Office/Browser Shell Spawn",
    IsRATExecution=1, "Remote Access Tool Execution",
    1=1, "Executable from User-Writable Directory")
| where NOT (IsUserDirExec=1 AND match(ImageLower, "(onedrive|teams\.exe|slack\.exe|zoom\.exe|update\.exe|setup\.exe)"))
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionCategory
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Helpdesk-deployed remote access tools installed by IT through approved channels — parent process will be msiexec.exe or a management agent rather than browser or explorer.exe
Developers running build scripts or installers directly from Desktop or Downloads — expected on developer workstations; scope alerts to non-developer OUs or asset groups
Finance team Excel macros invoking cmd.exe for legacy automation — document and exclude specific workbook paths and associated user accounts after review
Browser extensions that spawn helper processes — typically spawn from a versioned subdirectory of AppData, not the root Downloads or Desktop paths

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5s
  [process where event.type == "start" and
    process.parent.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "OUTLOOK.EXE",
                            "MSPUB.EXE", "ONENOTE.EXE", "VISIO.EXE",
                            "acrord32.exe", "acrobat.exe", "foxitreader.exe",
                            "chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "opera.exe") and
    process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe",
                    "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe",
                    "certutil.exe", "bitsadmin.exe")] by process.parent.entity_id

pipe

process where event.type == "start" and
  process.name : ("anydesk.exe", "teamviewer.exe", "screenconnect.exe",
                  "connectwisecontrol.exe", "splashtopstreamer.exe", "ultraviewer.exe",
                  "rustdesk.exe", "supremo.exe", "radmin.exe", "atera_agent.exe",
                  "netsupport.exe", "level.exe", "fleetdeck.exe")

pipe

process where event.type == "start" and
  process.parent.name : "explorer.exe" and
  process.name : "*.exe" and
  process.executable : ("*\\Downloads\\*", "*\\Desktop\\*",
                         "*\\AppData\\Local\\Temp\\*", "*\\Users\\Public\\*",
                         "*\\AppData\\Roaming\\*") and
  not process.name : ("OneDriveSetup.exe", "Teams.exe", "Slack.exe",
                       "Zoom.exe", "update.exe", "setup.exe")

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.process-* winlogbeat-* logs-windows.*

False Positives

Legitimate macro-enabled Office documents used by finance or HR teams that spawn cmd.exe for scripted data exports or report generation
IT administrators deploying TeamViewer, AnyDesk, or ScreenConnect for authorized remote support — especially common during onboarding or helpdesk workflows
Developers running executables from Downloads or Desktop during software evaluation, testing, or personal productivity workflows on unmanaged endpoints

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "sourceip",
  QIDNAME(qid) AS event_name,
  "ParentImage",
  "Image",
  "CommandLine",
  CASE
    WHEN LOWER("ParentImage") MATCHES REGEX '(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|mspub\.exe|onenote\.exe|visio\.exe|acrord32\.exe|acrobat\.exe|foxitreader\.exe|chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe)'
         AND LOWER("Image") MATCHES REGEX '(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe)'
      THEN 'Office/Browser Shell Spawn'
    WHEN LOWER("Image") MATCHES REGEX '(anydesk\.exe|teamviewer\.exe|screenconnect\.exe|connectwisecontrol\.exe|splashtopstreamer\.exe|ultraviewer\.exe|rustdesk\.exe|supremo\.exe|radmin\.exe|atera_agent\.exe|netsupport\.exe)'
      THEN 'Remote Access Tool Execution'
    WHEN LOWER("ParentImage") MATCHES REGEX 'explorer\.exe'
         AND LOWER("Image") MATCHES REGEX '\.exe$'
         AND LOWER("Image") MATCHES REGEX '(\\\\downloads\\\\|\\\\desktop\\\\|\\\\appdata\\\\local\\\\temp\\\\|\\\\users\\\\public\\\\|\\\\appdata\\\\roaming\\\\)'
         AND NOT LOWER("Image") MATCHES REGEX '(onedrive|teams\.exe|slack\.exe|zoom\.exe|update\.exe|setup\.exe)'
      THEN 'Executable from User-Writable Directory'
    ELSE 'Unknown'
  END AS detection_category
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 119)
  AND "EventID" = '1'
  AND LONG(starttime) >= LONG(NOW()) - 86400000
  AND (
    (
      LOWER("ParentImage") MATCHES REGEX '(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|mspub\.exe|onenote\.exe|visio\.exe|acrord32\.exe|acrobat\.exe|foxitreader\.exe|chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe)'
      AND LOWER("Image") MATCHES REGEX '(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe)'
    )
    OR LOWER("Image") MATCHES REGEX '(anydesk\.exe|teamviewer\.exe|screenconnect\.exe|connectwisecontrol\.exe|splashtopstreamer\.exe|ultraviewer\.exe|rustdesk\.exe|supremo\.exe|radmin\.exe|atera_agent\.exe|netsupport\.exe)'
    OR (
      LOWER("ParentImage") MATCHES REGEX 'explorer\.exe'
      AND LOWER("Image") MATCHES REGEX '\.exe$'
      AND LOWER("Image") MATCHES REGEX '(\\\\downloads\\\\|\\\\desktop\\\\|\\\\appdata\\\\local\\\\temp\\\\|\\\\users\\\\public\\\\|\\\\appdata\\\\roaming\\\\)'
      AND NOT LOWER("Image") MATCHES REGEX '(onedrive|teams\.exe|slack\.exe|zoom\.exe|update\.exe|setup\.exe)'
    )
  )
ORDER BY starttime DESC

high severity high confidence

Data Sources

IBM QRadar SIEM Sysmon via Windows Event Forwarding QRadar Windows Security DSM

Required Tables

events

False Positives

Legitimate macro-enabled documents used in business workflows (e.g., Excel-based automation triggering cmd.exe for data processing pipelines in finance departments)
Authorized deployment of remote management tools such as TeamViewer or ScreenConnect by IT helpdesk teams for endpoint support
Software developers running executables from Downloads or AppData directories during local build, test, or evaluation workflows

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/process
| json field=_raw "EventID", "ParentImage", "Image", "CommandLine", "ParentCommandLine", "User", "Computer" nodrop
| where EventID = "1"
| toLowerCase(ParentImage) as parent_lower
| toLowerCase(Image) as image_lower
| eval office_or_browser_parent = if(
    parent_lower matches "*(winword.exe|excel.exe|powerpnt.exe|outlook.exe|mspub.exe|onenote.exe|visio.exe|acrord32.exe|acrobat.exe|foxitreader.exe|chrome.exe|msedge.exe|firefox.exe|iexplore.exe|opera.exe)*",
    1, 0)
| eval shell_child = if(
    image_lower matches "*(cmd.exe|powershell.exe|pwsh.exe|wscript.exe|cscript.exe|mshta.exe|rundll32.exe|regsvr32.exe|certutil.exe|bitsadmin.exe)*",
    1, 0)
| eval rat_execution = if(
    image_lower matches "*(anydesk.exe|teamviewer.exe|screenconnect.exe|connectwisecontrol.exe|splashtopstreamer.exe|ultraviewer.exe|rustdesk.exe|supremo.exe|radmin.exe|atera_agent.exe|netsupport.exe)*",
    1, 0)
| eval user_dir_exec = if(
    image_lower matches "*(\\downloads\\|\\desktop\\|\\appdata\\local\\temp\\|\\users\\public\\|\\appdata\\roaming\\)*"
    and image_lower matches "*.exe"
    and parent_lower matches "*explorer.exe*",
    1, 0)
| eval office_shell_spawn = if(office_or_browser_parent = 1 and shell_child = 1, 1, 0)
| where office_shell_spawn = 1 or rat_execution = 1 or user_dir_exec = 1
| where not (
    user_dir_exec = 1
    and image_lower matches "*(onedrive|teams.exe|slack.exe|zoom.exe|update.exe|setup.exe)*"
  )
| eval detection_category = if(office_shell_spawn = 1, "Office/Browser Shell Spawn",
    if(rat_execution = 1, "Remote Access Tool Execution",
      "Executable from User-Writable Directory"))
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, detection_category
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Installed Collector (Windows) Sysmon for Windows Sumo Logic Cloud SIEM Enterprise

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=endpoint/process

False Positives

Legitimate business macros in Excel or Word that invoke cmd.exe or PowerShell for ETL tasks, report generation, or workflow automation in enterprise environments
IT-approved remote access tools installed as part of managed service agreements or active helpdesk support sessions
End-user installation of legitimate productivity software downloaded from the internet and run via explorer from the Downloads folder

Google Chronicle / SecOps

yaral

rule t1204_user_execution {
  meta:
    author = "Detection Engineering"
    description = "Detects T1204 User Execution via office/browser shell spawn, RAT execution, or executables from user-writable directories"
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1204"
    mitre_attack_technique_name = "User Execution"
    severity = "HIGH"
    priority = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1204/"
    created = "2026-04-19"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.metadata.product_name = "WINDOWS"

    // Pattern 1: Office/Browser spawning shell interpreter
    (
      re.regex($e.principal.process.file.full_path,
        `(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|mspub\.exe|onenote\.exe|visio\.exe|acrord32\.exe|acrobat\.exe|foxitreader\.exe|chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe)$`)
      and re.regex($e.target.process.file.full_path,
        `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe)$`)
    )
    or
    // Pattern 2: RAT binary execution (social engineering)
    re.regex($e.target.process.file.full_path,
      `(?i)(anydesk\.exe|teamviewer\.exe|screenconnect\.exe|connectwisecontrol\.exe|splashtopstreamer\.exe|ultraviewer\.exe|rustdesk\.exe|supremo\.exe|radmin\.exe|atera_agent\.exe|netsupport\.exe|level\.exe|fleetdeck\.exe)$`)
    or
    // Pattern 3: Executable launched from user-writable directory via Explorer
    (
      re.regex($e.principal.process.file.full_path, `(?i)explorer\.exe$`)
      and re.regex($e.target.process.file.full_path, `(?i)\.exe$`)
      and re.regex($e.target.process.file.full_path,
        `(?i)(\\Downloads\\|\\Desktop\\|\\AppData\\Local\\Temp\\|\\Users\\Public\\|\\AppData\\Roaming\\)`)
      and not re.regex($e.target.process.file.full_path,
        `(?i)(OneDriveSetup\.exe|Teams\.exe|Slack\.exe|Zoom\.exe|update\.exe|setup\.exe)$`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Chronicle Unified Data Model (UDM) Windows Endpoint Detection (via Chronicle Forwarder or partner ingestion)

Required Tables

PROCESS_LAUNCH UDM events

False Positives

Finance or operations teams using Excel macros that legitimately call PowerShell or cmd.exe as part of automated data processing or ERP integrations
Authorized remote desktop tools deployed by managed service providers or IT teams for legitimate support sessions, especially in organizations without centralized MDM whitelisting
Developers and power users running downloaded installers or portable tools directly from the Downloads or Desktop folder during evaluation or onboarding

CrowdStrike LogScale (CQL)

cql

// T1204 User Execution — CrowdStrike LogScale (Falcon)
// Pattern 1: Office/Browser spawning shell interpreter
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)^(WINWORD|EXCEL|POWERPNT|OUTLOOK|MSPUB|ONENOTE|VISIO|acrord32|acrobat|foxitreader|chrome|msedge|firefox|iexplore|opera)\.exe$/
| ImageFileName = /(?i)(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin)\.exe$/
| eval DetectionCategory="Office/Browser Shell Spawn"
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionCategory])

union

// Pattern 2: Remote Access Tool execution
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(anydesk|teamviewer|screenconnect|connectwisecontrol|splashtopstreamer|ultraviewer|rustdesk|supremo|radmin|atera_agent|netsupport|level|fleetdeck)\.exe$/
| eval DetectionCategory="Remote Access Tool Execution"
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionCategory])

union

// Pattern 3: Executable launched from user-writable directory via explorer.exe
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)^explorer\.exe$/
| ImageFileName = /(?i)\.exe$/
| ImageFileName = /(?i)(\\Downloads\\|\\Desktop\\|\\AppData\\Local\\Temp\\|\\Users\\Public\\|\\AppData\\Roaming\\)/
| ImageFileName != /(?i)(OneDriveSetup|Teams|Slack|Zoom|update|setup)\.exe$/
| eval DetectionCategory="Executable from User-Writable Directory"
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionCategory])

| sort(@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon Insight XDR CrowdStrike LogScale / Humio

Required Tables

ProcessRollup2 (#event_simpleName=ProcessRollup2)

False Positives

Legitimate business use of Office macros that call PowerShell or cmd.exe for ETL, report generation, or workflow automation — especially common in finance, HR, and operations teams
IT-sanctioned deployment or active sessions of remote access tools like TeamViewer, AnyDesk, or ScreenConnect during authorized helpdesk or managed service activities
End-user execution of downloaded software installers or portable utilities from Desktop or Downloads folder, particularly during software evaluations or self-service IT tasks on non-managed systems

Last updated: 2026-04-19 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1204 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

User Execution

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (5)

Same Tactic: Execution

Popular Detections