Detect Malicious File in IBM QRadar
Adversaries rely on users opening malicious files to gain code execution. Files delivered via spearphishing attachments or placed in shared directories include .doc, .xls, .pdf, .rtf, .scr, .exe, .lnk, .pif, .cpl, .iso, and others. Social engineering lures users into enabling macros, extracting archives, or double-clicking payloads. Execution typically manifests as an Office application, PDF reader, or shell process spawning a scripting engine, command interpreter, or LOLBin as a child process.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1204 User Execution
- Sub-technique
- T1204.002 Malicious File
- Canonical reference
- https://attack.mitre.org/techniques/T1204/002/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
"username" AS user_account,
"sourceip" AS source_ip,
QIDNAME(qid) AS event_name,
"EventID",
UTF8(payload) AS raw_payload,
CASE
WHEN LOWER("ParentImage") MATCHES '.*?(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|onenote\.exe|mspub\.exe|acrord32\.exe|foxitreader\.exe).*'
AND LOWER("Image") MATCHES '.*?(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msbuild\.exe|wmic\.exe).*'
THEN 'Office_SuspiciousChildSpawn'
WHEN LOWER("Image") MATCHES '.*?(wscript\.exe|cscript\.exe|mshta\.exe).*'
AND (LOWER("CommandLine") MATCHES '.*?(appdata\\local\\temp|appdata\\roaming|\\downloads\\|\\desktop\\|\\public\\|windows\\temp).*'
OR LOWER("CommandLine") MATCHES '.*?\.(vbs|vbe|js|jse|wsf|hta|ps1)["''\s].*')
THEN 'Script_UserPathExecution'
WHEN LOWER("ParentImage") MATCHES '.*?explorer\.exe.*'
AND LOWER("Image") MATCHES '.*?(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe).*'
AND (LOWER("CommandLine") MATCHES '.*?(appdata\\local\\temp|appdata\\roaming|\\downloads\\|\\desktop\\|\\public\\).*'
OR LOWER("ParentCommandLine") MATCHES '.*?\.lnk.*')
THEN 'LnkIso_ShellExecution'
WHEN LOWER("Image") MATCHES '.*?\.(exe|scr|pif|cpl|com)$'
AND LOWER("CurrentDirectory") MATCHES '.*?(temp|downloads|desktop|public).*'
AND LOWER("ParentImage") MATCHES '.*?(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|explorer\.exe|winrar\.exe|7z\.exe).*'
THEN 'Dropped_ExecutableRun'
ELSE 'Unknown'
END AS detection_branch,
"Image" AS child_process,
"CommandLine" AS child_cmdline,
"ParentImage" AS parent_process,
"ParentCommandLine" AS parent_cmdline,
"CurrentDirectory" AS working_dir
FROM events
WHERE
logsourcetypename(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
AND "EventID" = '1'
AND LONG(starttime) > LONG(NOW()) - 86400000
AND CASE
WHEN LOWER("ParentImage") MATCHES '.*?(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|onenote\.exe|mspub\.exe|acrord32\.exe|foxitreader\.exe).*'
AND LOWER("Image") MATCHES '.*?(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|msbuild\.exe|wmic\.exe).*'
THEN TRUE
WHEN LOWER("Image") MATCHES '.*?(wscript\.exe|cscript\.exe|mshta\.exe).*'
AND (LOWER("CommandLine") MATCHES '.*?(appdata\\local\\temp|appdata\\roaming|\\downloads\\|\\desktop\\|windows\\temp).*'
OR LOWER("CommandLine") MATCHES '.*?\.(vbs|vbe|js|jse|wsf|hta|ps1).*')
THEN TRUE
WHEN LOWER("ParentImage") MATCHES '.*?explorer\.exe.*'
AND LOWER("Image") MATCHES '.*?(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe).*'
AND (LOWER("CommandLine") MATCHES '.*?(appdata|downloads|desktop|public|temp).*'
OR LOWER("ParentCommandLine") MATCHES '.*?\.lnk.*')
THEN TRUE
WHEN LOWER("Image") MATCHES '.*?\.(exe|scr|pif|cpl|com)$'
AND LOWER("CurrentDirectory") MATCHES '.*?(temp|downloads|desktop|public).*'
AND LOWER("ParentImage") MATCHES '.*?(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|explorer\.exe|winrar\.exe).*'
THEN TRUE
ELSE FALSE
END = TRUE
ORDER BY starttime DESC
LIMIT 1000AQL query detecting T1204.002 malicious file execution via Sysmon Event ID 1 (Process Create). Identifies four branches: Office/PDF applications spawning suspicious child processes, script interpreters launching from user-writable paths, Explorer spawning suspicious children from LNK/ISO context, and dropped executables run from temp/download directories.
Data Sources
Required Tables
False Positives & Tuning
- Sanctioned Office macro-based business automation tools (e.g., custom Excel VBA dashboards that call cmd.exe to run batch scripts) will trigger Office_SuspiciousChildSpawn — maintain a whitelist of approved macro hashes and correlate with user group membership.
- Software deployment tools (SCCM, PDQ Deploy) that push packages to user temp directories and launch installers will trigger Dropped_ExecutableRun — filter by parent process being a known deployment agent executable.
- Legitimate scripting frameworks used by help desk staff (AutoHotkey scripts, VBScript IT tools stored in AppData) will trigger Script_UserPathExecution — validate against the IT-managed script inventory and signing certificate.
Other platforms for T1204.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Word Document Macro Spawning PowerShell
Expected signal: Sysmon Event ID 1: Process Create with ParentImage=WINWORD.EXE and Image=cmd.exe, CommandLine containing 'whoami'. Security Event ID 4688 (if command line auditing enabled) with same parent-child relationship. Sysmon Event ID 11: File creation of df00tech-macro-test.txt by cmd.exe.
- Test 2VBScript Execution from Downloads Folder
Expected signal: Sysmon Event ID 1: Process Create with Image=wscript.exe, CommandLine containing the path to df00tech-invoice.vbs in the Downloads folder. ParentImage will be cmd.exe (simulating Explorer shell execution). Sysmon Event ID 11: File creation of df00tech-vbs-test.txt by cmd.exe child of wscript.exe.
- Test 3HTA File Execution Simulating Phishing Payload
Expected signal: Sysmon Event ID 1 (first): Process Create for mshta.exe with CommandLine pointing to df00tech-payload.hta in TEMP. Sysmon Event ID 1 (second): cmd.exe as child of mshta.exe with CommandLine containing 'whoami'. Sysmon Event ID 11: File creation of df00tech-hta-test.txt.
- Test 4ISO-Mounted LNK File Executing Payload (MOTW Bypass Simulation)
Expected signal: Sysmon Event ID 1: Process Create with ParentImage=explorer.exe, Image=cmd.exe, with CommandLine containing path to payload.bat. Sysmon Event ID 11: File creation of invoice.lnk and payload.bat in the simulated ISO directory. Sysmon Event ID 11: df00tech-iso-result.txt created by cmd.exe.
References (10)
- https://attack.mitre.org/techniques/T1204/002/
- https://www.bleepingcomputer.com/news/security/psa-dont-open-spam-containing-password-protected-word-docs/
- https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-how-to-protect-against-this-malware
- https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups/
- https://docs.microsoft.com/en-us/deployoffice/security/internet-macros-blocked
Unlock Pro Content
Get the full detection package for T1204.002 including response playbook, investigation guide, and atomic red team tests.