T1204.002 Google Chronicle · YARA-L

Detect Malicious File in Google Chronicle

Adversaries rely on users opening malicious files to gain code execution. Files delivered via spearphishing attachments or placed in shared directories include .doc, .xls, .pdf, .rtf, .scr, .exe, .lnk, .pif, .cpl, .iso, and others. Social engineering lures users into enabling macros, extracting archives, or double-clicking payloads. Execution typically manifests as an Office application, PDF reader, or shell process spawning a scripting engine, command interpreter, or LOLBin as a child process.

MITRE ATT&CK

Tactic
Execution
Technique
T1204 User Execution
Sub-technique
T1204.002 Malicious File
Canonical reference
https://attack.mitre.org/techniques/T1204/002/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1204_002_malicious_file_execution {
  meta:
    author = "Detection Engineering"
    description = "Detects T1204.002 - Malicious File execution via Office/PDF parent spawning suspicious child processes, script interpreters from user-writable paths, LNK/ISO shell execution, or dropped executable launch."
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1204.002"
    severity = "HIGH"
    priority = "HIGH"

  events:
    // Bind the process start event
    $e.metadata.event_type = "PROCESS_LAUNCH"

    // Capture relevant fields
    $parent = $e.principal.process.file.full_path
    $child = $e.target.process.file.full_path
    $cmdline = $e.target.process.command_line
    $parent_cmdline = $e.principal.process.command_line
    $hostname = $e.principal.hostname
    $user = $e.principal.user.userid

    // Branch 1 & 4: Office/PDF parent process condition
    (
      // Branch 1: Office/PDF spawning suspicious child
      (
        re.regex($parent, `(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|onenote\.exe|mspub\.exe|visio\.exe|wordpad\.exe|acrord32\.exe|foxitreader\.exe|sumatra\.exe)$`) and
        re.regex($child, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msbuild\.exe|wmic\.exe|installutil\.exe|regasm\.exe|regsvcs\.exe|cmstp\.exe|schtasks\.exe|net\.exe|netsh\.exe|curl\.exe|wget\.exe)$`)
      ) or
      // Branch 2: Script interpreter from user-writable path or script extension
      (
        re.regex($child, `(?i)(wscript\.exe|cscript\.exe|mshta\.exe)$`) and
        (
          re.regex($cmdline, `(?i)(appdata\\local\\temp|appdata\\roaming|\\downloads\\|\\desktop\\|\\public\\|windows\\temp)`) or
          re.regex($cmdline, `(?i)\.(vbs|vbe|js|jse|wsf|hta|ps1)["'\s]?`)
        )
      ) or
      // Branch 3: Explorer spawning suspicious child from LNK/ISO context
      (
        re.regex($parent, `(?i)explorer\.exe$`) and
        re.regex($child, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msbuild\.exe)$`) and
        (
          re.regex($cmdline, `(?i)(appdata\\local\\temp|appdata\\roaming|\\downloads\\|\\desktop\\|\\public\\|windows\\temp)`) or
          re.regex($parent_cmdline, `(?i)\.lnk`)
        )
      ) or
      // Branch 4: Dropped executable launched from user-writable path
      (
        re.regex($child, `(?i)\.(exe|scr|pif|cpl|com)$`) and
        re.regex($cmdline, `(?i)(appdata\\local\\temp|appdata\\roaming|\\downloads\\|\\desktop\\|\\public\\|windows\\temp)`) and
        re.regex($parent, `(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|onenote\.exe|acrord32\.exe|foxitreader\.exe|explorer\.exe|winrar\.exe|7z\.exe|7zg\.exe|winzip32\.exe)$`)
      )
    )

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting T1204.002 malicious file execution across four behavioral branches: Office/PDF applications spawning suspicious child processes (macro/embedded script execution), script interpreters launching from user-writable paths, Explorer spawning suspicious processes in LNK/ISO delivery context, and dropped executables launched from temp/download directories.

Data Sources

Chronicle UDM (Unified Data Model)Google Chronicle SIEM with Windows endpoint telemetrySysmon via Chronicle forwarder or BindPlane

Required Tables

UDM events with event_type PROCESS_LAUNCH

False Positives & Tuning

  • Legitimate macro-enabled Office templates used in financial modeling or legal document workflows may trigger Branch 1 — build an allowlist based on the specific child process arguments and correlate with the originating Office document hash.
  • End-user scripting tools such as AutoHotkey, NirCmd, or scheduled Windows logon scripts stored in AppData\Roaming will trigger Branch 2 — suppress by correlating child process signing status and script file location against the IT-approved software inventory.
  • Software center or package manager tools (Chocolatey, Scoop, WinGet) that download and execute installers in user-accessible paths via Explorer will trigger Branch 3 or Branch 4 — identify by the parent process chain including known package manager executables and correlate with software request tickets.
Download portable Sigma rule (.yml)

Other platforms for T1204.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Word Document Macro Spawning PowerShell

    Expected signal: Sysmon Event ID 1: Process Create with ParentImage=WINWORD.EXE and Image=cmd.exe, CommandLine containing 'whoami'. Security Event ID 4688 (if command line auditing enabled) with same parent-child relationship. Sysmon Event ID 11: File creation of df00tech-macro-test.txt by cmd.exe.

  2. Test 2VBScript Execution from Downloads Folder

    Expected signal: Sysmon Event ID 1: Process Create with Image=wscript.exe, CommandLine containing the path to df00tech-invoice.vbs in the Downloads folder. ParentImage will be cmd.exe (simulating Explorer shell execution). Sysmon Event ID 11: File creation of df00tech-vbs-test.txt by cmd.exe child of wscript.exe.

  3. Test 3HTA File Execution Simulating Phishing Payload

    Expected signal: Sysmon Event ID 1 (first): Process Create for mshta.exe with CommandLine pointing to df00tech-payload.hta in TEMP. Sysmon Event ID 1 (second): cmd.exe as child of mshta.exe with CommandLine containing 'whoami'. Sysmon Event ID 11: File creation of df00tech-hta-test.txt.

  4. Test 4ISO-Mounted LNK File Executing Payload (MOTW Bypass Simulation)

    Expected signal: Sysmon Event ID 1: Process Create with ParentImage=explorer.exe, Image=cmd.exe, with CommandLine containing path to payload.bat. Sysmon Event ID 11: File creation of invoice.lnk and payload.bat in the simulated ISO directory. Sysmon Event ID 11: df00tech-iso-result.txt created by cmd.exe.

Last updated: 2026-04-19 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1204.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1204User Execution

Related Sub-techniques

T1204.001Malicious LinkT1204.003Malicious ImageT1204.004Malicious Copy and PasteT1204.005Malicious Library

Related Techniques

T1204User ExecutionT1566.001Spearphishing AttachmentT1566.002Spearphishing LinkT1059.001PowerShellT1059.005Visual BasicT1059.007JavaScriptT1218.005MshtaT1218.011Rundll32T1027.002Software PackingT1036.007Double File ExtensionT1105Ingress Tool TransferT1547.001Registry Run Keys / Startup FolderT1553.005Mark-of-the-Web Bypass

Same Tactic: Execution

Popular Detections