T1204 Google Chronicle · YARA-L

Detect User Execution in Google Chronicle

Adversaries rely on specific actions by a user to gain execution. Users are subjected to social engineering to execute malicious code by opening malicious document files, clicking links, running copy-pasted commands, or installing remote access tools under false pretenses. This technique frequently follows phishing (T1566) and encompasses a wide range of deceptive methods including malicious Office documents spawning shells, fake CAPTCHAs instructing users to paste PowerShell into Run dialogs (ClickFix/ClearFake), tech support scams prompting RAT installation, and malicious LNK files on removable media. Threat groups including Scattered Spider, LAPSUS$, and malware families like Lumma Stealer and Raspberry Robin rely heavily on user-initiated execution to bypass automated defenses.

MITRE ATT&CK

Tactic
Execution
Technique
T1204 User Execution
Canonical reference
https://attack.mitre.org/techniques/T1204/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1204_user_execution {
  meta:
    author = "Detection Engineering"
    description = "Detects T1204 User Execution via office/browser shell spawn, RAT execution, or executables from user-writable directories"
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1204"
    mitre_attack_technique_name = "User Execution"
    severity = "HIGH"
    priority = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1204/"
    created = "2026-04-19"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.metadata.product_name = "WINDOWS"

    // Pattern 1: Office/Browser spawning shell interpreter
    (
      re.regex($e.principal.process.file.full_path,
        `(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|mspub\.exe|onenote\.exe|visio\.exe|acrord32\.exe|acrobat\.exe|foxitreader\.exe|chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe)$`)
      and re.regex($e.target.process.file.full_path,
        `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe)$`)
    )
    or
    // Pattern 2: RAT binary execution (social engineering)
    re.regex($e.target.process.file.full_path,
      `(?i)(anydesk\.exe|teamviewer\.exe|screenconnect\.exe|connectwisecontrol\.exe|splashtopstreamer\.exe|ultraviewer\.exe|rustdesk\.exe|supremo\.exe|radmin\.exe|atera_agent\.exe|netsupport\.exe|level\.exe|fleetdeck\.exe)$`)
    or
    // Pattern 3: Executable launched from user-writable directory via Explorer
    (
      re.regex($e.principal.process.file.full_path, `(?i)explorer\.exe$`)
      and re.regex($e.target.process.file.full_path, `(?i)\.exe$`)
      and re.regex($e.target.process.file.full_path,
        `(?i)(\\Downloads\\|\\Desktop\\|\\AppData\\Local\\Temp\\|\\Users\\Public\\|\\AppData\\Roaming\\)`)
      and not re.regex($e.target.process.file.full_path,
        `(?i)(OneDriveSetup\.exe|Teams\.exe|Slack\.exe|Zoom\.exe|update\.exe|setup\.exe)$`)
    )

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting T1204 User Execution across three behavioral patterns: office and browser applications spawning shell interpreters (document-based phishing and malicious macros), remote access tool execution indicating social engineering or tech support scams, and explorer-spawned executables from user-writable directories associated with ClickFix, ClearFake, and downloaded malware. Uses UDM process event fields with case-insensitive regex matching on process image paths.

Data Sources

Google Chronicle SIEMChronicle Unified Data Model (UDM)Windows Endpoint Detection (via Chronicle Forwarder or partner ingestion)

Required Tables

PROCESS_LAUNCH UDM events

False Positives & Tuning

  • Finance or operations teams using Excel macros that legitimately call PowerShell or cmd.exe as part of automated data processing or ERP integrations
  • Authorized remote desktop tools deployed by managed service providers or IT teams for legitimate support sessions, especially in organizations without centralized MDM whitelisting
  • Developers and power users running downloaded installers or portable tools directly from the Downloads or Desktop folder during evaluation or onboarding
Download portable Sigma rule (.yml)

Other platforms for T1204

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Malicious Office Document Macro Spawning cmd.exe

    Expected signal: Sysmon Event ID 1: wscript.exe Process Create with CommandLine containing df00tech_test.vbs. Second Sysmon Event ID 1: cmd.exe Process Create with ParentImage=wscript.exe and CommandLine containing whoami. Sysmon Event ID 11: File Create for df00tech_result.txt in %TEMP%.

  2. Test 2Simulated ClickFix / Clipboard Paste Execution (Lumma Stealer Pattern)

    Expected signal: Sysmon Event ID 1: powershell.exe Process Create with CommandLine containing '-enc' and a Base64 string. ParentImage will be powershell.exe (the launcher). PowerShell ScriptBlock Log Event ID 4104 will show decoded content 'Write-Output ClickFix-Test-df00tech'. In a real ClickFix scenario, the parent would be explorer.exe (Run dialog) spawning powershell.exe with -enc.

  3. Test 3Remote Access Tool Execution Simulating Social Engineering

    Expected signal: Sysmon Event ID 11: File Create for AnyDesk.exe in %USERPROFILE%\Downloads\ with initiating process curl.exe. Zone.Identifier ADS written to AnyDesk.exe confirming ZoneId=3 (Internet). If the binary is then executed (in a controlled lab), Sysmon Event ID 1: AnyDesk.exe Process Create with ParentImage=explorer.exe and FolderPath containing \Downloads\.

  4. Test 4Malicious LNK File Execution from Removable Media (Raspberry Robin Pattern)

    Expected signal: Sysmon Event ID 11: File Create for df00tech_lnk_test.lnk in %TEMP%. Sysmon Event ID 1: cmd.exe Process Create with ParentImage=explorer.exe (shell invocation) and CommandLine containing 'LNK-Execution-Test-df00tech'. The FolderPath for cmd.exe will be %TEMP%, which matches the user-writable path detection branch.

Last updated: 2026-04-19 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1204 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (5)

Related Techniques

T1566PhishingT1566.001Spearphishing AttachmentT1566.002Spearphishing LinkT1204.001Malicious LinkT1204.002Malicious FileT1204.003Malicious ImageT1204.004Malicious Copy and PasteT1219Remote Access ToolsT1059.001PowerShellT1059.005Visual BasicT1059.007JavaScriptT1027Obfuscated Files or InformationT1105Ingress Tool TransferT1534Internal Spearphishing

Same Tactic: Execution

Popular Detections