Detect Malicious File in Microsoft Sentinel
Adversaries rely on users opening malicious files to gain code execution. Files delivered via spearphishing attachments or placed in shared directories include .doc, .xls, .pdf, .rtf, .scr, .exe, .lnk, .pif, .cpl, .iso, and others. Social engineering lures users into enabling macros, extracting archives, or double-clicking payloads. Execution typically manifests as an Office application, PDF reader, or shell process spawning a scripting engine, command interpreter, or LOLBin as a child process.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1204 User Execution
- Sub-technique
- T1204.002 Malicious File
- Canonical reference
- https://attack.mitre.org/techniques/T1204/002/
KQL Detection Query
let OfficeApps = dynamic(["winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "onenote.exe", "mspub.exe", "visio.exe", "wordpad.exe", "acrord32.exe", "foxitreader.exe", "sumatra.exe"]);
let SuspiciousChildren = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "msbuild.exe", "wmic.exe", "installutil.exe", "regasm.exe", "regsvcs.exe", "cmstp.exe", "explorer.exe", "schtasks.exe", "at.exe", "net.exe", "netsh.exe", "curl.exe", "wget.exe"]);
let SuspiciousPaths = dynamic(["\\AppData\\Local\\Temp\\", "\\AppData\\Roaming\\", "\\Downloads\\", "\\Desktop\\", "\\Public\\", "\\Temp\\", "\\Windows\\Temp\\"]);
// Branch 1: Office/PDF apps spawning suspicious child processes (macro/script execution)
let OfficeSuspawnBranch = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (OfficeApps)
| where FileName has_any (SuspiciousChildren)
| extend DetectionBranch = "Office_SuspiciousChildSpawn"
| extend RiskIndicator = strcat(InitiatingProcessFileName, " -> ", FileName);
// Branch 2: Script files (VBS/JS/HTA/WSF) executing from user writeable paths
let ScriptExecBranch = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any (SuspiciousPaths)
or ProcessCommandLine matches regex @"(?i)\.(vbs|vbe|js|jse|wsf|hta|ps1)[\"\'\s]?"
| extend DetectionBranch = "Script_UserPathExecution"
| extend RiskIndicator = strcat(FileName, ": ", ProcessCommandLine);
// Branch 3: LNK or ISO-based execution (shell spawning from mounted image or lnk shortcut)
let LnkIsoBranch = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "explorer.exe"
| where ProcessCommandLine has_any (SuspiciousChildren)
| where FolderPath has_any (SuspiciousPaths)
or InitiatingProcessCommandLine has ".lnk"
or FolderPath matches regex @"[A-Z]:\\[A-Z0-9]{1,4}\\"
| extend DetectionBranch = "LnkIso_ShellExecution"
| extend RiskIndicator = strcat("Explorer child: ", FileName, " from ", FolderPath);
// Branch 4: Executable dropped to temp/download path and immediately launched
let DroppedExecBranch = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (SuspiciousPaths)
| where FileName matches regex @"(?i)\.(exe|scr|pif|cpl|com)$"
| where InitiatingProcessFileName has_any (OfficeApps)
or InitiatingProcessFileName in~ ("explorer.exe", "winrar.exe", "7z.exe", "7zg.exe", "winzip32.exe")
| extend DetectionBranch = "Dropped_ExecutableRun"
| extend RiskIndicator = strcat("Dropped binary: ", FileName, " path: ", FolderPath);
union OfficeSuspawnBranch, ScriptExecBranch, LnkIsoBranch, DroppedExecBranch
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath,
DetectionBranch, RiskIndicator
| sort by Timestamp descDetects malicious file execution via four detection branches: (1) Office/PDF applications spawning suspicious child processes indicative of macro or embedded script execution; (2) script interpreters (wscript, cscript, mshta) launching from user-writeable paths such as Downloads or Temp; (3) Explorer spawning shell binaries via LNK shortcuts or ISO-mounted drives; (4) executables dropped to temp paths by document handlers or archive utilities then immediately executed. Uses DeviceProcessEvents from Microsoft Defender for Endpoint.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate macro-enabled documents used by finance or HR teams that spawn cmd.exe or PowerShell for approved business automation
- IT software installation packages that extract and run executables from the user's Downloads or Temp folder (e.g., offline installers)
- PDF forms with embedded JavaScript that invoke Acrobat helper processes for printing or submission
- Developer toolchains that invoke build scripts (MSBuild, cscript) from project directories under AppData
Other platforms for T1204.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Word Document Macro Spawning PowerShell
Expected signal: Sysmon Event ID 1: Process Create with ParentImage=WINWORD.EXE and Image=cmd.exe, CommandLine containing 'whoami'. Security Event ID 4688 (if command line auditing enabled) with same parent-child relationship. Sysmon Event ID 11: File creation of df00tech-macro-test.txt by cmd.exe.
- Test 2VBScript Execution from Downloads Folder
Expected signal: Sysmon Event ID 1: Process Create with Image=wscript.exe, CommandLine containing the path to df00tech-invoice.vbs in the Downloads folder. ParentImage will be cmd.exe (simulating Explorer shell execution). Sysmon Event ID 11: File creation of df00tech-vbs-test.txt by cmd.exe child of wscript.exe.
- Test 3HTA File Execution Simulating Phishing Payload
Expected signal: Sysmon Event ID 1 (first): Process Create for mshta.exe with CommandLine pointing to df00tech-payload.hta in TEMP. Sysmon Event ID 1 (second): cmd.exe as child of mshta.exe with CommandLine containing 'whoami'. Sysmon Event ID 11: File creation of df00tech-hta-test.txt.
- Test 4ISO-Mounted LNK File Executing Payload (MOTW Bypass Simulation)
Expected signal: Sysmon Event ID 1: Process Create with ParentImage=explorer.exe, Image=cmd.exe, with CommandLine containing path to payload.bat. Sysmon Event ID 11: File creation of invoice.lnk and payload.bat in the simulated ISO directory. Sysmon Event ID 11: df00tech-iso-result.txt created by cmd.exe.
References (10)
- https://attack.mitre.org/techniques/T1204/002/
- https://www.bleepingcomputer.com/news/security/psa-dont-open-spam-containing-password-protected-word-docs/
- https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://www.cybereason.com/blog/threat-analysis-report-all-paths-lead-to-cobalt-strike-how-to-protect-against-this-malware
- https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups/
- https://docs.microsoft.com/en-us/deployoffice/security/internet-macros-blocked
Unlock Pro Content
Get the full detection package for T1204.002 including response playbook, investigation guide, and atomic red team tests.