Detect Malicious File in CrowdStrike LogScale
Adversaries rely on users opening malicious files to gain code execution. Files delivered via spearphishing attachments or placed in shared directories include .doc, .xls, .pdf, .rtf, .scr, .exe, .lnk, .pif, .cpl, .iso, and others. Social engineering lures users into enabling macros, extracting archives, or double-clicking payloads. Execution typically manifests as an Office application, PDF reader, or shell process spawning a scripting engine, command interpreter, or LOLBin as a child process.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1204 User Execution
- Sub-technique
- T1204.002 Malicious File
- Canonical reference
- https://attack.mitre.org/techniques/T1204/002/
LogScale Detection Query
// T1204.002 - Malicious File Execution Detection
// Requires Falcon Insight (EDR) with ProcessRollup2 events
#event_simpleName = ProcessRollup2
// Normalize parent and child process names to lowercase for matching
| ParentBaseFileName := lower(ParentBaseFileName)
| ChildBaseFileName := lower(ImageFileName)
// Extract just the filename from full path
| ChildImageName := replace(ChildBaseFileName, ".*\\\\", "")
| ParentImageName := replace(ParentBaseFileName, ".*\\\\", "")
| CommandLineLower := lower(CommandLine)
| ParentCommandLineLower := lower(ParentCommandLine)
// Flag: Office/PDF parent process
| IsOfficeParent := if(
ParentImageName = "winword.exe" OR ParentImageName = "excel.exe" OR ParentImageName = "powerpnt.exe" OR
ParentImageName = "outlook.exe" OR ParentImageName = "onenote.exe" OR ParentImageName = "mspub.exe" OR
ParentImageName = "visio.exe" OR ParentImageName = "wordpad.exe" OR ParentImageName = "acrord32.exe" OR
ParentImageName = "foxitreader.exe" OR ParentImageName = "sumatra.exe",
"true", "false")
// Flag: Suspicious child process
| IsSuspiciousChild := if(
ChildImageName = "cmd.exe" OR ChildImageName = "powershell.exe" OR ChildImageName = "pwsh.exe" OR
ChildImageName = "wscript.exe" OR ChildImageName = "cscript.exe" OR ChildImageName = "mshta.exe" OR
ChildImageName = "rundll32.exe" OR ChildImageName = "regsvr32.exe" OR ChildImageName = "certutil.exe" OR
ChildImageName = "bitsadmin.exe" OR ChildImageName = "msbuild.exe" OR ChildImageName = "wmic.exe" OR
ChildImageName = "installutil.exe" OR ChildImageName = "regasm.exe" OR ChildImageName = "regsvcs.exe" OR
ChildImageName = "cmstp.exe" OR ChildImageName = "schtasks.exe" OR ChildImageName = "net.exe" OR
ChildImageName = "curl.exe" OR ChildImageName = "wget.exe",
"true", "false")
// Flag: Script interpreter
| IsScriptInterpreter := if(
ChildImageName = "wscript.exe" OR ChildImageName = "cscript.exe" OR ChildImageName = "mshta.exe",
"true", "false")
// Flag: User-writable path in command line
| IsUserWritablePath := if(
CommandLineLower = /appdata\\local\\temp/ OR CommandLineLower = /appdata\\roaming/ OR
CommandLineLower = /\\downloads\\/ OR CommandLineLower = /\\desktop\\/ OR
CommandLineLower = /\\public\\/ OR CommandLineLower = /windows\\temp/,
"true", "false")
// Flag: Script file extension in command line
| IsScriptExtension := if(
CommandLineLower = /\.(vbs|vbe|js|jse|wsf|hta|ps1)/,
"true", "false")
// Flag: Explorer parent
| IsExplorerParent := if(ParentImageName = "explorer.exe", "true", "false")
// Flag: Dropped executable from archive/office parent in writable path
| IsDroppedExec := if(
(ChildImageName = /\.(exe|scr|pif|cpl|com)$/) AND IsUserWritablePath = "true" AND
(IsOfficeParent = "true" OR ParentImageName = "winrar.exe" OR ParentImageName = "7z.exe" OR
ParentImageName = "7zg.exe" OR ParentImageName = "winzip32.exe" OR ParentImageName = "explorer.exe"),
"true", "false")
// Assign detection branch
| DetectionBranch := case{
IsOfficeParent = "true" AND IsSuspiciousChild = "true": "Office_SuspiciousChildSpawn",
IsScriptInterpreter = "true" AND (IsUserWritablePath = "true" OR IsScriptExtension = "true"): "Script_UserPathExecution",
IsExplorerParent = "true" AND IsSuspiciousChild = "true" AND (IsUserWritablePath = "true" OR ParentCommandLineLower = /\.lnk/): "LnkIso_ShellExecution",
IsDroppedExec = "true": "Dropped_ExecutableRun",
default: "Unknown"}
// Filter to only detection hits
| where DetectionBranch != "Unknown"
// Output relevant fields
| table([_time, ComputerName, UserName, ChildImageName, CommandLine, ParentImageName, ParentCommandLine, DetectionBranch, IsOfficeParent, IsSuspiciousChild, IsScriptInterpreter, IsUserWritablePath, IsScriptExtension, TargetProcessId, ContextProcessId])
| sort(field=_time, order=desc)CrowdStrike LogScale (Falcon Insight) query detecting T1204.002 malicious file execution using ProcessRollup2 events. Identifies four behavioral branches: Office/PDF applications spawning suspicious interpreter or LOLBin child processes (macro/script execution), script interpreters executing from user-writable paths, Explorer spawning suspicious children from LNK/ISO delivery context, and dropped executables launched from temp/download directories by Office or archive applications.
Data Sources
Required Tables
False Positives & Tuning
- IT administration tools that run batch scripts from AppData or Temp directories (e.g., MDM enrollment scripts, VPN client auto-provisioning) will trigger Script_UserPathExecution or Dropped_ExecutableRun — correlate with Falcon's prevention policy and known software hashes in the allowlist.
- Developer workstations running build pipelines that invoke MSBuild, cmd.exe, or PowerShell from an IDE parent process may partially match Office_SuspiciousChildSpawn if the IDE executable is not in the Office list but a shared parent exists — validate against endpoint tags and device groups (e.g., 'developer_workstation').
- Archive extraction tools (7-Zip, WinRAR) legitimately extracting and launching software installers from Downloads will trigger Dropped_ExecutableRun — verify executable signing certificate, compare against software installation request workflows, and check for matching Falcon prevention alerts that did not fire.
Other platforms for T1204.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Word Document Macro Spawning PowerShell
Expected signal: Sysmon Event ID 1: Process Create with ParentImage=WINWORD.EXE and Image=cmd.exe, CommandLine containing 'whoami'. Security Event ID 4688 (if command line auditing enabled) with same parent-child relationship. Sysmon Event ID 11: File creation of df00tech-macro-test.txt by cmd.exe.
- Test 2VBScript Execution from Downloads Folder
Expected signal: Sysmon Event ID 1: Process Create with Image=wscript.exe, CommandLine containing the path to df00tech-invoice.vbs in the Downloads folder. ParentImage will be cmd.exe (simulating Explorer shell execution). Sysmon Event ID 11: File creation of df00tech-vbs-test.txt by cmd.exe child of wscript.exe.
- Test 3HTA File Execution Simulating Phishing Payload
Expected signal: Sysmon Event ID 1 (first): Process Create for mshta.exe with CommandLine pointing to df00tech-payload.hta in TEMP. Sysmon Event ID 1 (second): cmd.exe as child of mshta.exe with CommandLine containing 'whoami'. Sysmon Event ID 11: File creation of df00tech-hta-test.txt.
- Test 4ISO-Mounted LNK File Executing Payload (MOTW Bypass Simulation)
Expected signal: Sysmon Event ID 1: Process Create with ParentImage=explorer.exe, Image=cmd.exe, with CommandLine containing path to payload.bat. Sysmon Event ID 11: File creation of invoice.lnk and payload.bat in the simulated ISO directory. Sysmon Event ID 11: df00tech-iso-result.txt created by cmd.exe.
References (10)
- https://attack.mitre.org/techniques/T1204/002/
- https://www.bleepingcomputer.com/news/security/psa-dont-open-spam-containing-password-protected-word-docs/
- https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-how-to-protect-against-this-malware
- https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups/
- https://docs.microsoft.com/en-us/deployoffice/security/internet-macros-blocked
Unlock Pro Content
Get the full detection package for T1204.002 including response playbook, investigation guide, and atomic red team tests.