Detect User Execution in Elastic Security
Adversaries rely on specific actions by a user to gain execution. Users are subjected to social engineering to execute malicious code by opening malicious document files, clicking links, running copy-pasted commands, or installing remote access tools under false pretenses. This technique frequently follows phishing (T1566) and encompasses a wide range of deceptive methods including malicious Office documents spawning shells, fake CAPTCHAs instructing users to paste PowerShell into Run dialogs (ClickFix/ClearFake), tech support scams prompting RAT installation, and malicious LNK files on removable media. Threat groups including Scattered Spider, LAPSUS$, and malware families like Lumma Stealer and Raspberry Robin rely heavily on user-initiated execution to bypass automated defenses.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1204 User Execution
- Canonical reference
- https://attack.mitre.org/techniques/T1204/
Elastic Detection Query
sequence by host.id with maxspan=5s
[process where event.type == "start" and
process.parent.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "OUTLOOK.EXE",
"MSPUB.EXE", "ONENOTE.EXE", "VISIO.EXE",
"acrord32.exe", "acrobat.exe", "foxitreader.exe",
"chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "opera.exe") and
process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe",
"cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe",
"certutil.exe", "bitsadmin.exe")] by process.parent.entity_id
pipe
process where event.type == "start" and
process.name : ("anydesk.exe", "teamviewer.exe", "screenconnect.exe",
"connectwisecontrol.exe", "splashtopstreamer.exe", "ultraviewer.exe",
"rustdesk.exe", "supremo.exe", "radmin.exe", "atera_agent.exe",
"netsupport.exe", "level.exe", "fleetdeck.exe")
pipe
process where event.type == "start" and
process.parent.name : "explorer.exe" and
process.name : "*.exe" and
process.executable : ("*\\Downloads\\*", "*\\Desktop\\*",
"*\\AppData\\Local\\Temp\\*", "*\\Users\\Public\\*",
"*\\AppData\\Roaming\\*") and
not process.name : ("OneDriveSetup.exe", "Teams.exe", "Slack.exe",
"Zoom.exe", "update.exe", "setup.exe")Detects T1204 User Execution via three correlated patterns: (1) office application or browser spawning shell interpreters indicating malicious document/phishing execution, (2) remote access tool (RAT) execution commonly used in tech support scams and social engineering, and (3) executables launched from user-writable directories via Explorer suggesting downloaded malware or ClickFix/ClearFake payloads. Uses EQL sequences for office/shell correlation and standalone process events for RAT and user-directory checks.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate macro-enabled Office documents used by finance or HR teams that spawn cmd.exe for scripted data exports or report generation
- IT administrators deploying TeamViewer, AnyDesk, or ScreenConnect for authorized remote support — especially common during onboarding or helpdesk workflows
- Developers running executables from Downloads or Desktop during software evaluation, testing, or personal productivity workflows on unmanaged endpoints
Other platforms for T1204
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Malicious Office Document Macro Spawning cmd.exe
Expected signal: Sysmon Event ID 1: wscript.exe Process Create with CommandLine containing df00tech_test.vbs. Second Sysmon Event ID 1: cmd.exe Process Create with ParentImage=wscript.exe and CommandLine containing whoami. Sysmon Event ID 11: File Create for df00tech_result.txt in %TEMP%.
- Test 2Simulated ClickFix / Clipboard Paste Execution (Lumma Stealer Pattern)
Expected signal: Sysmon Event ID 1: powershell.exe Process Create with CommandLine containing '-enc' and a Base64 string. ParentImage will be powershell.exe (the launcher). PowerShell ScriptBlock Log Event ID 4104 will show decoded content 'Write-Output ClickFix-Test-df00tech'. In a real ClickFix scenario, the parent would be explorer.exe (Run dialog) spawning powershell.exe with -enc.
- Test 3Remote Access Tool Execution Simulating Social Engineering
Expected signal: Sysmon Event ID 11: File Create for AnyDesk.exe in %USERPROFILE%\Downloads\ with initiating process curl.exe. Zone.Identifier ADS written to AnyDesk.exe confirming ZoneId=3 (Internet). If the binary is then executed (in a controlled lab), Sysmon Event ID 1: AnyDesk.exe Process Create with ParentImage=explorer.exe and FolderPath containing \Downloads\.
- Test 4Malicious LNK File Execution from Removable Media (Raspberry Robin Pattern)
Expected signal: Sysmon Event ID 11: File Create for df00tech_lnk_test.lnk in %TEMP%. Sysmon Event ID 1: cmd.exe Process Create with ParentImage=explorer.exe (shell invocation) and CommandLine containing 'LNK-Execution-Test-df00tech'. The FolderPath for cmd.exe will be %TEMP%, which matches the user-writable path detection branch.
References (10)
- https://attack.mitre.org/techniques/T1204/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/
- https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn
- https://blog.talosintelligence.com/roblox-scam-overview/
- https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/
- https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
Unlock Pro Content
Get the full detection package for T1204 including response playbook, investigation guide, and atomic red team tests.