T1204.002

Malicious File

Adversaries rely on users opening malicious files to gain code execution. Files delivered via spearphishing attachments or placed in shared directories include .doc, .xls, .pdf, .rtf, .scr, .exe, .lnk, .pif, .cpl, .iso, and others. Social engineering lures users into enabling macros, extracting archives, or double-clicking payloads. Execution typically manifests as an Office application, PDF reader, or shell process spawning a scripting engine, command interpreter, or LOLBin as a child process.

Microsoft Sentinel / Defender

kusto

let OfficeApps = dynamic(["winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "onenote.exe", "mspub.exe", "visio.exe", "wordpad.exe", "acrord32.exe", "foxitreader.exe", "sumatra.exe"]);
let SuspiciousChildren = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "msbuild.exe", "wmic.exe", "installutil.exe", "regasm.exe", "regsvcs.exe", "cmstp.exe", "explorer.exe", "schtasks.exe", "at.exe", "net.exe", "netsh.exe", "curl.exe", "wget.exe"]);
let SuspiciousPaths = dynamic(["\\AppData\\Local\\Temp\\", "\\AppData\\Roaming\\", "\\Downloads\\", "\\Desktop\\", "\\Public\\", "\\Temp\\", "\\Windows\\Temp\\"]);
// Branch 1: Office/PDF apps spawning suspicious child processes (macro/script execution)
let OfficeSuspawnBranch = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (OfficeApps)
| where FileName has_any (SuspiciousChildren)
| extend DetectionBranch = "Office_SuspiciousChildSpawn"
| extend RiskIndicator = strcat(InitiatingProcessFileName, " -> ", FileName);
// Branch 2: Script files (VBS/JS/HTA/WSF) executing from user writeable paths
let ScriptExecBranch = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any (SuspiciousPaths)
    or ProcessCommandLine matches regex @"(?i)\.(vbs|vbe|js|jse|wsf|hta|ps1)[\"\'\s]?"
| extend DetectionBranch = "Script_UserPathExecution"
| extend RiskIndicator = strcat(FileName, ": ", ProcessCommandLine);
// Branch 3: LNK or ISO-based execution (shell spawning from mounted image or lnk shortcut)
let LnkIsoBranch = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "explorer.exe"
| where ProcessCommandLine has_any (SuspiciousChildren)
| where FolderPath has_any (SuspiciousPaths)
    or InitiatingProcessCommandLine has ".lnk"
    or FolderPath matches regex @"[A-Z]:\\[A-Z0-9]{1,4}\\"
| extend DetectionBranch = "LnkIso_ShellExecution"
| extend RiskIndicator = strcat("Explorer child: ", FileName, " from ", FolderPath);
// Branch 4: Executable dropped to temp/download path and immediately launched
let DroppedExecBranch = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (SuspiciousPaths)
| where FileName matches regex @"(?i)\.(exe|scr|pif|cpl|com)$"
| where InitiatingProcessFileName has_any (OfficeApps)
    or InitiatingProcessFileName in~ ("explorer.exe", "winrar.exe", "7z.exe", "7zg.exe", "winzip32.exe")
| extend DetectionBranch = "Dropped_ExecutableRun"
| extend RiskIndicator = strcat("Dropped binary: ", FileName, " path: ", FolderPath);
union OfficeSuspawnBranch, ScriptExecBranch, LnkIsoBranch, DroppedExecBranch
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath,
         DetectionBranch, RiskIndicator
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate macro-enabled documents used by finance or HR teams that spawn cmd.exe or PowerShell for approved business automation
IT software installation packages that extract and run executables from the user's Downloads or Temp folder (e.g., offline installers)
PDF forms with embedded JavaScript that invoke Acrobat helper processes for printing or submission
Developer toolchains that invoke build scripts (MSBuild, cscript) from project directories under AppData

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval ParentImageLower=lower(ParentImage)
| eval ImageLower=lower(Image)
| eval CommandLineLower=lower(CommandLine)
| eval IsOfficeParent=if(match(ParentImageLower, "(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|onenote\.exe|mspub\.exe|visio\.exe|wordpad\.exe|acrord32\.exe|foxitreader\.exe)"), 1, 0)
| eval IsSuspiciousChild=if(match(ImageLower, "(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msbuild\.exe|wmic\.exe|installutil\.exe|regasm\.exe|schtasks\.exe)"), 1, 0)
| eval IsScriptInterpreter=if(match(ImageLower, "(wscript\.exe|cscript\.exe|mshta\.exe)"), 1, 0)
| eval IsUserWritablePath=if(match(CommandLineLower, "(appdata\\local\\temp|appdata\\roaming|\\downloads\\|\\desktop\\|\\public\\|windows\\temp)"), 1, 0)
| eval IsScriptExtension=if(match(CommandLineLower, "\.(vbs|vbe|js|jse|wsf|hta|ps1)[\"'\s]"), 1, 0)
| eval IsExplorerParent=if(match(ParentImageLower, "explorer\.exe"), 1, 0)
| eval IsDroppedExec=if(match(ImageLower, "\.(exe|scr|pif|cpl|com)$") AND match(CurrentDirectory, "(temp|downloads|desktop|public)"), 1, 0)
| eval DetectionBranch=case(
    IsOfficeParent=1 AND IsSuspiciousChild=1, "Office_SuspiciousChildSpawn",
    IsScriptInterpreter=1 AND (IsUserWritablePath=1 OR IsScriptExtension=1), "Script_UserPathExecution",
    IsExplorerParent=1 AND IsSuspiciousChild=1 AND IsUserWritablePath=1, "Explorer_SuspiciousChildSpawn",
    IsDroppedExec=1, "Dropped_ExecutableRun",
    true(), "Unknown")
| where DetectionBranch!="Unknown"
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        DetectionBranch, IsOfficeParent, IsSuspiciousChild, IsScriptInterpreter,
        IsUserWritablePath, IsScriptExtension
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate macro-enabled documents used by finance or HR teams that spawn cmd.exe or PowerShell for approved business automation
IT software installation packages that extract and run executables from the user's Downloads or Temp folder
PDF forms invoking Acrobat helper processes for printing or digital signature workflows
Developer workstations where build tools are routinely invoked from project directories under AppData

Elastic Security (EQL)

eql

sequence by host.id with maxspan=2m
  [process where event.type == "start" and
   process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "onenote.exe", "mspub.exe", "visio.exe", "wordpad.exe", "acrord32.exe", "foxitreader.exe", "sumatra.exe") and
   process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "msbuild.exe", "wmic.exe", "installutil.exe", "regasm.exe", "regsvcs.exe", "cmstp.exe", "schtasks.exe", "net.exe", "netsh.exe", "curl.exe", "wget.exe")]
  [any where true]
| head 500

/* Branch 2: Script interpreter executing from user-writable paths */
process where event.type == "start" and
  process.name : ("wscript.exe", "cscript.exe", "mshta.exe") and
  (
    process.args : ("*\\AppData\\Local\\Temp\\*", "*\\AppData\\Roaming\\*", "*\\Downloads\\*", "*\\Desktop\\*", "*\\Public\\*", "*\\Windows\\Temp\\*") or
    process.args : ("*.vbs", "*.vbe", "*.js", "*.jse", "*.wsf", "*.hta", "*.ps1")
  )

/* Branch 3: Explorer spawning suspicious children from LNK/ISO context */
process where event.type == "start" and
  process.parent.name : "explorer.exe" and
  process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "msbuild.exe") and
  (
    process.working_directory : ("*\\AppData\\Local\\Temp\\*", "*\\AppData\\Roaming\\*", "*\\Downloads\\*", "*\\Desktop\\*", "*\\Public\\*", "*\\Windows\\Temp\\*") or
    process.parent.args : ("*.lnk")
  )

/* Branch 4: Dropped executable launched from user-writable path */
process where event.type == "start" and
  process.name : ("*.exe", "*.scr", "*.pif", "*.cpl", "*.com") and
  process.executable : ("*\\AppData\\Local\\Temp\\*", "*\\AppData\\Roaming\\*", "*\\Downloads\\*", "*\\Desktop\\*", "*\\Public\\*", "*\\Windows\\Temp\\*") and
  process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "onenote.exe", "acrord32.exe", "foxitreader.exe", "explorer.exe", "winrar.exe", "7z.exe")

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent (endpoint)

Required Tables

logs-endpoint.events.process-* winlogbeat-* logs-system.security-*

False Positives

Legitimate Office macros used by finance or operations teams to automate workflows may trigger Office_SuspiciousChildSpawn — validate against an approved macro inventory and user role.
IT automation scripts (e.g., SCCM deployment packages, software installers run by IT) legitimately launch executables from Temp/Downloads paths — correlate with change management tickets and software deployment logs.
Developers using WSL, Node.js, or Python tools installed in AppData may trigger Script_UserPathExecution — verify against developer machine baselines and software asset management.
PDF readers with JavaScript support (Acrobat) calling internal helper processes or plugin DLLs may generate false positives — check parent-child chain against known Acrobat plugin paths.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username" AS user_account,
  "sourceip" AS source_ip,
  QIDNAME(qid) AS event_name,
  "EventID",
  UTF8(payload) AS raw_payload,
  CASE
    WHEN LOWER("ParentImage") MATCHES '.*?(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|onenote\.exe|mspub\.exe|acrord32\.exe|foxitreader\.exe).*'
         AND LOWER("Image") MATCHES '.*?(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msbuild\.exe|wmic\.exe).*'
      THEN 'Office_SuspiciousChildSpawn'
    WHEN LOWER("Image") MATCHES '.*?(wscript\.exe|cscript\.exe|mshta\.exe).*'
         AND (LOWER("CommandLine") MATCHES '.*?(appdata\\local\\temp|appdata\\roaming|\\downloads\\|\\desktop\\|\\public\\|windows\\temp).*'
              OR LOWER("CommandLine") MATCHES '.*?\.(vbs|vbe|js|jse|wsf|hta|ps1)["''\s].*')
      THEN 'Script_UserPathExecution'
    WHEN LOWER("ParentImage") MATCHES '.*?explorer\.exe.*'
         AND LOWER("Image") MATCHES '.*?(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe).*'
         AND (LOWER("CommandLine") MATCHES '.*?(appdata\\local\\temp|appdata\\roaming|\\downloads\\|\\desktop\\|\\public\\).*'
              OR LOWER("ParentCommandLine") MATCHES '.*?\.lnk.*')
      THEN 'LnkIso_ShellExecution'
    WHEN LOWER("Image") MATCHES '.*?\.(exe|scr|pif|cpl|com)$'
         AND LOWER("CurrentDirectory") MATCHES '.*?(temp|downloads|desktop|public).*'
         AND LOWER("ParentImage") MATCHES '.*?(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|explorer\.exe|winrar\.exe|7z\.exe).*'
      THEN 'Dropped_ExecutableRun'
    ELSE 'Unknown'
  END AS detection_branch,
  "Image" AS child_process,
  "CommandLine" AS child_cmdline,
  "ParentImage" AS parent_process,
  "ParentCommandLine" AS parent_cmdline,
  "CurrentDirectory" AS working_dir
FROM events
WHERE
  logsourcetypename(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND "EventID" = '1'
  AND LONG(starttime) > LONG(NOW()) - 86400000
  AND CASE
    WHEN LOWER("ParentImage") MATCHES '.*?(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|onenote\.exe|mspub\.exe|acrord32\.exe|foxitreader\.exe).*'
         AND LOWER("Image") MATCHES '.*?(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msbuild\.exe|wmic\.exe).*'
      THEN TRUE
    WHEN LOWER("Image") MATCHES '.*?(wscript\.exe|cscript\.exe|mshta\.exe).*'
         AND (LOWER("CommandLine") MATCHES '.*?(appdata\\local\\temp|appdata\\roaming|\\downloads\\|\\desktop\\|windows\\temp).*'
              OR LOWER("CommandLine") MATCHES '.*?\.(vbs|vbe|js|jse|wsf|hta|ps1).*')
      THEN TRUE
    WHEN LOWER("ParentImage") MATCHES '.*?explorer\.exe.*'
         AND LOWER("Image") MATCHES '.*?(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe).*'
         AND (LOWER("CommandLine") MATCHES '.*?(appdata|downloads|desktop|public|temp).*'
              OR LOWER("ParentCommandLine") MATCHES '.*?\.lnk.*')
      THEN TRUE
    WHEN LOWER("Image") MATCHES '.*?\.(exe|scr|pif|cpl|com)$'
         AND LOWER("CurrentDirectory") MATCHES '.*?(temp|downloads|desktop|public).*'
         AND LOWER("ParentImage") MATCHES '.*?(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|explorer\.exe|winrar\.exe).*'
      THEN TRUE
    ELSE FALSE
  END = TRUE
ORDER BY starttime DESC
LIMIT 1000

high severity high confidence

Data Sources

Microsoft Windows Security Event Log (QRadar DSM) Sysmon via Windows Event Log DSM

Required Tables

events

False Positives

Sanctioned Office macro-based business automation tools (e.g., custom Excel VBA dashboards that call cmd.exe to run batch scripts) will trigger Office_SuspiciousChildSpawn — maintain a whitelist of approved macro hashes and correlate with user group membership.
Software deployment tools (SCCM, PDQ Deploy) that push packages to user temp directories and launch installers will trigger Dropped_ExecutableRun — filter by parent process being a known deployment agent executable.
Legitimate scripting frameworks used by help desk staff (AutoHotkey scripts, VBScript IT tools stored in AppData) will trigger Script_UserPathExecution — validate against the IT-managed script inventory and signing certificate.

Sumo Logic CSE

sql

// Branch 1: Office/PDF parent spawning suspicious child processes
(_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
| where EventID = "1"
| parse field=ParentImage "*\\*" as _unused, ParentImageName nodrop
| parse field=Image "*\\*" as _unused2, ChildImageName nodrop
| toLowerCase(ParentImageName) as ParentImageLower
| toLowerCase(ChildImageName) as ChildImageLower
| toLowerCase(CommandLine) as CommandLineLower
// Classify parent type
| if (ParentImageLower matches "*winword.exe*" OR ParentImageLower matches "*excel.exe*" OR ParentImageLower matches "*powerpnt.exe*" OR ParentImageLower matches "*outlook.exe*" OR ParentImageLower matches "*onenote.exe*" OR ParentImageLower matches "*mspub.exe*" OR ParentImageLower matches "*acrord32.exe*" OR ParentImageLower matches "*foxitreader.exe*" OR ParentImageLower matches "*wordpad.exe*", 1, 0) as IsOfficeParent
// Classify child suspicion
| if (ChildImageLower matches "*cmd.exe*" OR ChildImageLower matches "*powershell.exe*" OR ChildImageLower matches "*pwsh.exe*" OR ChildImageLower matches "*wscript.exe*" OR ChildImageLower matches "*cscript.exe*" OR ChildImageLower matches "*mshta.exe*" OR ChildImageLower matches "*rundll32.exe*" OR ChildImageLower matches "*regsvr32.exe*" OR ChildImageLower matches "*certutil.exe*" OR ChildImageLower matches "*bitsadmin.exe*" OR ChildImageLower matches "*msbuild.exe*" OR ChildImageLower matches "*wmic.exe*" OR ChildImageLower matches "*installutil.exe*", 1, 0) as IsSuspiciousChild
// Classify script interpreter
| if (ChildImageLower matches "*wscript.exe*" OR ChildImageLower matches "*cscript.exe*" OR ChildImageLower matches "*mshta.exe*", 1, 0) as IsScriptInterpreter
// Classify user-writable path
| if (CommandLineLower matches "*appdata\\local\\temp*" OR CommandLineLower matches "*appdata\\roaming*" OR CommandLineLower matches "*\\downloads\\*" OR CommandLineLower matches "*\\desktop\\*" OR CommandLineLower matches "*\\public\\*" OR CommandLineLower matches "*windows\\temp*", 1, 0) as IsUserWritablePath
// Classify script extension
| if (CommandLineLower matches "*.vbs*" OR CommandLineLower matches "*.vbe*" OR CommandLineLower matches "*.js*" OR CommandLineLower matches "*.jse*" OR CommandLineLower matches "*.wsf*" OR CommandLineLower matches "*.hta*" OR CommandLineLower matches "*.ps1*", 1, 0) as IsScriptExtension
// Classify explorer parent
| if (ParentImageLower matches "*explorer.exe*", 1, 0) as IsExplorerParent
// Classify dropped executable
| if ((CommandLineLower matches "*.exe" OR CommandLineLower matches "*.scr" OR CommandLineLower matches "*.pif" OR CommandLineLower matches "*.cpl") AND IsUserWritablePath = 1 AND (IsOfficeParent = 1 OR ParentImageLower matches "*winrar.exe*" OR ParentImageLower matches "*7z.exe*"), 1, 0) as IsDroppedExec
// Determine detection branch
| if (IsOfficeParent = 1 AND IsSuspiciousChild = 1, "Office_SuspiciousChildSpawn",
    if (IsScriptInterpreter = 1 AND (IsUserWritablePath = 1 OR IsScriptExtension = 1), "Script_UserPathExecution",
    if (IsExplorerParent = 1 AND IsSuspiciousChild = 1 AND IsUserWritablePath = 1, "LnkIso_ShellExecution",
    if (IsDroppedExec = 1, "Dropped_ExecutableRun", "Unknown")))) as DetectionBranch
| where DetectionBranch != "Unknown"
| fields _messageTime, Computer, User, ChildImageName, CommandLine, ParentImageName, ParentCommandLine, DetectionBranch, IsOfficeParent, IsSuspiciousChild, IsScriptInterpreter, IsUserWritablePath, IsScriptExtension
| sort by _messageTime desc

high severity high confidence

Data Sources

Sysmon (Windows Event Log) Windows Security Event Log Sumo Logic Installed Collector with Windows Event Log Source

Required Tables

Sumo Logic Windows Event Log source (Sysmon EventID 1)

False Positives

Business process automation using licensed Office macros (e.g., Excel-triggered VBA that shells out to run Python scripts in AppData) will trigger Office_SuspiciousChildSpawn — create suppression rules scoped to known automation service accounts and verified macro hashes.
Third-party software updaters (Adobe, Chrome, Java) that extract and execute files from Temp directories via Explorer or a launcher will trigger Dropped_ExecutableRun or LnkIso_ShellExecution — maintain a software update baseline and correlate with scheduled update windows.
Security tools or EDR agents that spawn command interpreters for live response or scanning (e.g., CrowdStrike RTR, Carbon Black Live Response) may trigger Script_UserPathExecution — allowlist by process signing certificate and known EDR parent process names.

Google Chronicle / SecOps

yaral

rule t1204_002_malicious_file_execution {
  meta:
    author = "Detection Engineering"
    description = "Detects T1204.002 - Malicious File execution via Office/PDF parent spawning suspicious child processes, script interpreters from user-writable paths, LNK/ISO shell execution, or dropped executable launch."
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1204.002"
    severity = "HIGH"
    priority = "HIGH"

  events:
    // Bind the process start event
    $e.metadata.event_type = "PROCESS_LAUNCH"

    // Capture relevant fields
    $parent = $e.principal.process.file.full_path
    $child = $e.target.process.file.full_path
    $cmdline = $e.target.process.command_line
    $parent_cmdline = $e.principal.process.command_line
    $hostname = $e.principal.hostname
    $user = $e.principal.user.userid

    // Branch 1 & 4: Office/PDF parent process condition
    (
      // Branch 1: Office/PDF spawning suspicious child
      (
        re.regex($parent, `(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|onenote\.exe|mspub\.exe|visio\.exe|wordpad\.exe|acrord32\.exe|foxitreader\.exe|sumatra\.exe)$`) and
        re.regex($child, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msbuild\.exe|wmic\.exe|installutil\.exe|regasm\.exe|regsvcs\.exe|cmstp\.exe|schtasks\.exe|net\.exe|netsh\.exe|curl\.exe|wget\.exe)$`)
      ) or
      // Branch 2: Script interpreter from user-writable path or script extension
      (
        re.regex($child, `(?i)(wscript\.exe|cscript\.exe|mshta\.exe)$`) and
        (
          re.regex($cmdline, `(?i)(appdata\\local\\temp|appdata\\roaming|\\downloads\\|\\desktop\\|\\public\\|windows\\temp)`) or
          re.regex($cmdline, `(?i)\.(vbs|vbe|js|jse|wsf|hta|ps1)["'\s]?`)
        )
      ) or
      // Branch 3: Explorer spawning suspicious child from LNK/ISO context
      (
        re.regex($parent, `(?i)explorer\.exe$`) and
        re.regex($child, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msbuild\.exe)$`) and
        (
          re.regex($cmdline, `(?i)(appdata\\local\\temp|appdata\\roaming|\\downloads\\|\\desktop\\|\\public\\|windows\\temp)`) or
          re.regex($parent_cmdline, `(?i)\.lnk`)
        )
      ) or
      // Branch 4: Dropped executable launched from user-writable path
      (
        re.regex($child, `(?i)\.(exe|scr|pif|cpl|com)$`) and
        re.regex($cmdline, `(?i)(appdata\\local\\temp|appdata\\roaming|\\downloads\\|\\desktop\\|\\public\\|windows\\temp)`) and
        re.regex($parent, `(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|onenote\.exe|acrord32\.exe|foxitreader\.exe|explorer\.exe|winrar\.exe|7z\.exe|7zg\.exe|winzip32\.exe)$`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle UDM (Unified Data Model) Google Chronicle SIEM with Windows endpoint telemetry Sysmon via Chronicle forwarder or BindPlane

Required Tables

UDM events with event_type PROCESS_LAUNCH

False Positives

Legitimate macro-enabled Office templates used in financial modeling or legal document workflows may trigger Branch 1 — build an allowlist based on the specific child process arguments and correlate with the originating Office document hash.
End-user scripting tools such as AutoHotkey, NirCmd, or scheduled Windows logon scripts stored in AppData\Roaming will trigger Branch 2 — suppress by correlating child process signing status and script file location against the IT-approved software inventory.
Software center or package manager tools (Chocolatey, Scoop, WinGet) that download and execute installers in user-accessible paths via Explorer will trigger Branch 3 or Branch 4 — identify by the parent process chain including known package manager executables and correlate with software request tickets.

CrowdStrike LogScale (CQL)

cql

// T1204.002 - Malicious File Execution Detection
// Requires Falcon Insight (EDR) with ProcessRollup2 events

#event_simpleName = ProcessRollup2

// Normalize parent and child process names to lowercase for matching
| ParentBaseFileName := lower(ParentBaseFileName)
| ChildBaseFileName := lower(ImageFileName)
// Extract just the filename from full path
| ChildImageName := replace(ChildBaseFileName, ".*\\\\", "")
| ParentImageName := replace(ParentBaseFileName, ".*\\\\", "")
| CommandLineLower := lower(CommandLine)
| ParentCommandLineLower := lower(ParentCommandLine)

// Flag: Office/PDF parent process
| IsOfficeParent := if(
    ParentImageName = "winword.exe" OR ParentImageName = "excel.exe" OR ParentImageName = "powerpnt.exe" OR
    ParentImageName = "outlook.exe" OR ParentImageName = "onenote.exe" OR ParentImageName = "mspub.exe" OR
    ParentImageName = "visio.exe" OR ParentImageName = "wordpad.exe" OR ParentImageName = "acrord32.exe" OR
    ParentImageName = "foxitreader.exe" OR ParentImageName = "sumatra.exe",
    "true", "false")

// Flag: Suspicious child process
| IsSuspiciousChild := if(
    ChildImageName = "cmd.exe" OR ChildImageName = "powershell.exe" OR ChildImageName = "pwsh.exe" OR
    ChildImageName = "wscript.exe" OR ChildImageName = "cscript.exe" OR ChildImageName = "mshta.exe" OR
    ChildImageName = "rundll32.exe" OR ChildImageName = "regsvr32.exe" OR ChildImageName = "certutil.exe" OR
    ChildImageName = "bitsadmin.exe" OR ChildImageName = "msbuild.exe" OR ChildImageName = "wmic.exe" OR
    ChildImageName = "installutil.exe" OR ChildImageName = "regasm.exe" OR ChildImageName = "regsvcs.exe" OR
    ChildImageName = "cmstp.exe" OR ChildImageName = "schtasks.exe" OR ChildImageName = "net.exe" OR
    ChildImageName = "curl.exe" OR ChildImageName = "wget.exe",
    "true", "false")

// Flag: Script interpreter
| IsScriptInterpreter := if(
    ChildImageName = "wscript.exe" OR ChildImageName = "cscript.exe" OR ChildImageName = "mshta.exe",
    "true", "false")

// Flag: User-writable path in command line
| IsUserWritablePath := if(
    CommandLineLower = /appdata\\local\\temp/ OR CommandLineLower = /appdata\\roaming/ OR
    CommandLineLower = /\\downloads\\/ OR CommandLineLower = /\\desktop\\/ OR
    CommandLineLower = /\\public\\/ OR CommandLineLower = /windows\\temp/,
    "true", "false")

// Flag: Script file extension in command line
| IsScriptExtension := if(
    CommandLineLower = /\.(vbs|vbe|js|jse|wsf|hta|ps1)/,
    "true", "false")

// Flag: Explorer parent
| IsExplorerParent := if(ParentImageName = "explorer.exe", "true", "false")

// Flag: Dropped executable from archive/office parent in writable path
| IsDroppedExec := if(
    (ChildImageName = /\.(exe|scr|pif|cpl|com)$/) AND IsUserWritablePath = "true" AND
    (IsOfficeParent = "true" OR ParentImageName = "winrar.exe" OR ParentImageName = "7z.exe" OR
     ParentImageName = "7zg.exe" OR ParentImageName = "winzip32.exe" OR ParentImageName = "explorer.exe"),
    "true", "false")

// Assign detection branch
| DetectionBranch := case{
    IsOfficeParent = "true" AND IsSuspiciousChild = "true": "Office_SuspiciousChildSpawn",
    IsScriptInterpreter = "true" AND (IsUserWritablePath = "true" OR IsScriptExtension = "true"): "Script_UserPathExecution",
    IsExplorerParent = "true" AND IsSuspiciousChild = "true" AND (IsUserWritablePath = "true" OR ParentCommandLineLower = /\.lnk/): "LnkIso_ShellExecution",
    IsDroppedExec = "true": "Dropped_ExecutableRun",
    default: "Unknown"}

// Filter to only detection hits
| where DetectionBranch != "Unknown"

// Output relevant fields
| table([_time, ComputerName, UserName, ChildImageName, CommandLine, ParentImageName, ParentCommandLine, DetectionBranch, IsOfficeParent, IsSuspiciousChild, IsScriptInterpreter, IsUserWritablePath, IsScriptExtension, TargetProcessId, ContextProcessId])
| sort(field=_time, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Insight EDR (ProcessRollup2 events) Falcon Data Replicator (FDR)

Required Tables

ProcessRollup2 (#event_simpleName)

False Positives

IT administration tools that run batch scripts from AppData or Temp directories (e.g., MDM enrollment scripts, VPN client auto-provisioning) will trigger Script_UserPathExecution or Dropped_ExecutableRun — correlate with Falcon's prevention policy and known software hashes in the allowlist.
Developer workstations running build pipelines that invoke MSBuild, cmd.exe, or PowerShell from an IDE parent process may partially match Office_SuspiciousChildSpawn if the IDE executable is not in the Office list but a shared parent exists — validate against endpoint tags and device groups (e.g., 'developer_workstation').
Archive extraction tools (7-Zip, WinRAR) legitimately extracting and launching software installers from Downloads will trigger Dropped_ExecutableRun — verify executable signing certificate, compare against software installation request workflows, and check for matching Falcon prevention alerts that did not fire.

Last updated: 2026-04-19 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1204.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1204User Execution

Related Sub-techniques

T1204.001Malicious Link T1204.003Malicious Image T1204.004Malicious Copy and Paste T1204.005Malicious Library

Malicious File

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Execution

Popular Detections