Detect User Execution in CrowdStrike LogScale
Adversaries rely on specific actions by a user to gain execution. Users are subjected to social engineering to execute malicious code by opening malicious document files, clicking links, running copy-pasted commands, or installing remote access tools under false pretenses. This technique frequently follows phishing (T1566) and encompasses a wide range of deceptive methods including malicious Office documents spawning shells, fake CAPTCHAs instructing users to paste PowerShell into Run dialogs (ClickFix/ClearFake), tech support scams prompting RAT installation, and malicious LNK files on removable media. Threat groups including Scattered Spider, LAPSUS$, and malware families like Lumma Stealer and Raspberry Robin rely heavily on user-initiated execution to bypass automated defenses.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1204 User Execution
- Canonical reference
- https://attack.mitre.org/techniques/T1204/
LogScale Detection Query
// T1204 User Execution — CrowdStrike LogScale (Falcon)
// Pattern 1: Office/Browser spawning shell interpreter
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)^(WINWORD|EXCEL|POWERPNT|OUTLOOK|MSPUB|ONENOTE|VISIO|acrord32|acrobat|foxitreader|chrome|msedge|firefox|iexplore|opera)\.exe$/
| ImageFileName = /(?i)(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin)\.exe$/
| eval DetectionCategory="Office/Browser Shell Spawn"
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionCategory])
union
// Pattern 2: Remote Access Tool execution
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(anydesk|teamviewer|screenconnect|connectwisecontrol|splashtopstreamer|ultraviewer|rustdesk|supremo|radmin|atera_agent|netsupport|level|fleetdeck)\.exe$/
| eval DetectionCategory="Remote Access Tool Execution"
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionCategory])
union
// Pattern 3: Executable launched from user-writable directory via explorer.exe
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)^explorer\.exe$/
| ImageFileName = /(?i)\.exe$/
| ImageFileName = /(?i)(\\Downloads\\|\\Desktop\\|\\AppData\\Local\\Temp\\|\\Users\\Public\\|\\AppData\\Roaming\\)/
| ImageFileName != /(?i)(OneDriveSetup|Teams|Slack|Zoom|update|setup)\.exe$/
| eval DetectionCategory="Executable from User-Writable Directory"
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionCategory])
| sort(@timestamp, order=desc)CrowdStrike LogScale (Falcon) detection for T1204 User Execution using ProcessRollup2 events from the Falcon sensor. Three unioned patterns cover the full threat surface: (1) office applications and browsers spawning shell interpreters indicating macro-based phishing or malicious document execution, (2) remote access tool binaries associated with social engineering and tech support scams (Scattered Spider, Lumma Stealer delivery), and (3) explorer-spawned executables from user-writable paths consistent with ClickFix paste attacks, ClearFake campaigns, and Raspberry Robin LNK execution. Results are unioned and sorted by timestamp descending for analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate business use of Office macros that call PowerShell or cmd.exe for ETL, report generation, or workflow automation — especially common in finance, HR, and operations teams
- IT-sanctioned deployment or active sessions of remote access tools like TeamViewer, AnyDesk, or ScreenConnect during authorized helpdesk or managed service activities
- End-user execution of downloaded software installers or portable utilities from Desktop or Downloads folder, particularly during software evaluations or self-service IT tasks on non-managed systems
Other platforms for T1204
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Malicious Office Document Macro Spawning cmd.exe
Expected signal: Sysmon Event ID 1: wscript.exe Process Create with CommandLine containing df00tech_test.vbs. Second Sysmon Event ID 1: cmd.exe Process Create with ParentImage=wscript.exe and CommandLine containing whoami. Sysmon Event ID 11: File Create for df00tech_result.txt in %TEMP%.
- Test 2Simulated ClickFix / Clipboard Paste Execution (Lumma Stealer Pattern)
Expected signal: Sysmon Event ID 1: powershell.exe Process Create with CommandLine containing '-enc' and a Base64 string. ParentImage will be powershell.exe (the launcher). PowerShell ScriptBlock Log Event ID 4104 will show decoded content 'Write-Output ClickFix-Test-df00tech'. In a real ClickFix scenario, the parent would be explorer.exe (Run dialog) spawning powershell.exe with -enc.
- Test 3Remote Access Tool Execution Simulating Social Engineering
Expected signal: Sysmon Event ID 11: File Create for AnyDesk.exe in %USERPROFILE%\Downloads\ with initiating process curl.exe. Zone.Identifier ADS written to AnyDesk.exe confirming ZoneId=3 (Internet). If the binary is then executed (in a controlled lab), Sysmon Event ID 1: AnyDesk.exe Process Create with ParentImage=explorer.exe and FolderPath containing \Downloads\.
- Test 4Malicious LNK File Execution from Removable Media (Raspberry Robin Pattern)
Expected signal: Sysmon Event ID 11: File Create for df00tech_lnk_test.lnk in %TEMP%. Sysmon Event ID 1: cmd.exe Process Create with ParentImage=explorer.exe (shell invocation) and CommandLine containing 'LNK-Execution-Test-df00tech'. The FolderPath for cmd.exe will be %TEMP%, which matches the user-writable path detection branch.
References (10)
- https://attack.mitre.org/techniques/T1204/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/
- https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn
- https://blog.talosintelligence.com/roblox-scam-overview/
- https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/
- https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
Unlock Pro Content
Get the full detection package for T1204 including response playbook, investigation guide, and atomic red team tests.