T1204 IBM QRadar · QRadar

Detect User Execution in IBM QRadar

Adversaries rely on specific actions by a user to gain execution. Users are subjected to social engineering to execute malicious code by opening malicious document files, clicking links, running copy-pasted commands, or installing remote access tools under false pretenses. This technique frequently follows phishing (T1566) and encompasses a wide range of deceptive methods including malicious Office documents spawning shells, fake CAPTCHAs instructing users to paste PowerShell into Run dialogs (ClickFix/ClearFake), tech support scams prompting RAT installation, and malicious LNK files on removable media. Threat groups including Scattered Spider, LAPSUS$, and malware families like Lumma Stealer and Raspberry Robin rely heavily on user-initiated execution to bypass automated defenses.

MITRE ATT&CK

Tactic
Execution
Technique
T1204 User Execution
Canonical reference
https://attack.mitre.org/techniques/T1204/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "sourceip",
  QIDNAME(qid) AS event_name,
  "ParentImage",
  "Image",
  "CommandLine",
  CASE
    WHEN LOWER("ParentImage") MATCHES REGEX '(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|mspub\.exe|onenote\.exe|visio\.exe|acrord32\.exe|acrobat\.exe|foxitreader\.exe|chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe)'
         AND LOWER("Image") MATCHES REGEX '(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe)'
      THEN 'Office/Browser Shell Spawn'
    WHEN LOWER("Image") MATCHES REGEX '(anydesk\.exe|teamviewer\.exe|screenconnect\.exe|connectwisecontrol\.exe|splashtopstreamer\.exe|ultraviewer\.exe|rustdesk\.exe|supremo\.exe|radmin\.exe|atera_agent\.exe|netsupport\.exe)'
      THEN 'Remote Access Tool Execution'
    WHEN LOWER("ParentImage") MATCHES REGEX 'explorer\.exe'
         AND LOWER("Image") MATCHES REGEX '\.exe$'
         AND LOWER("Image") MATCHES REGEX '(\\\\downloads\\\\|\\\\desktop\\\\|\\\\appdata\\\\local\\\\temp\\\\|\\\\users\\\\public\\\\|\\\\appdata\\\\roaming\\\\)'
         AND NOT LOWER("Image") MATCHES REGEX '(onedrive|teams\.exe|slack\.exe|zoom\.exe|update\.exe|setup\.exe)'
      THEN 'Executable from User-Writable Directory'
    ELSE 'Unknown'
  END AS detection_category
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 119)
  AND "EventID" = '1'
  AND LONG(starttime) >= LONG(NOW()) - 86400000
  AND (
    (
      LOWER("ParentImage") MATCHES REGEX '(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|mspub\.exe|onenote\.exe|visio\.exe|acrord32\.exe|acrobat\.exe|foxitreader\.exe|chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe)'
      AND LOWER("Image") MATCHES REGEX '(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe)'
    )
    OR LOWER("Image") MATCHES REGEX '(anydesk\.exe|teamviewer\.exe|screenconnect\.exe|connectwisecontrol\.exe|splashtopstreamer\.exe|ultraviewer\.exe|rustdesk\.exe|supremo\.exe|radmin\.exe|atera_agent\.exe|netsupport\.exe)'
    OR (
      LOWER("ParentImage") MATCHES REGEX 'explorer\.exe'
      AND LOWER("Image") MATCHES REGEX '\.exe$'
      AND LOWER("Image") MATCHES REGEX '(\\\\downloads\\\\|\\\\desktop\\\\|\\\\appdata\\\\local\\\\temp\\\\|\\\\users\\\\public\\\\|\\\\appdata\\\\roaming\\\\)'
      AND NOT LOWER("Image") MATCHES REGEX '(onedrive|teams\.exe|slack\.exe|zoom\.exe|update\.exe|setup\.exe)'
    )
  )
ORDER BY starttime DESC
high severity high confidence

Detects T1204 User Execution in IBM QRadar using Sysmon Event ID 1 (Process Create) from Windows endpoints. Identifies three high-fidelity patterns: office applications or browsers spawning shell interpreters (indicating document-based phishing), execution of known remote access tools (social engineering / tech support scams), and executables launched by explorer.exe from user-writable directories. Uses AQL MATCHES REGEX for pattern matching across process image paths and CASE statements for alert categorization.

Data Sources

IBM QRadar SIEMSysmon via Windows Event ForwardingQRadar Windows Security DSM

Required Tables

events

False Positives & Tuning

  • Legitimate macro-enabled documents used in business workflows (e.g., Excel-based automation triggering cmd.exe for data processing pipelines in finance departments)
  • Authorized deployment of remote management tools such as TeamViewer or ScreenConnect by IT helpdesk teams for endpoint support
  • Software developers running executables from Downloads or AppData directories during local build, test, or evaluation workflows
Download portable Sigma rule (.yml)

Other platforms for T1204

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Malicious Office Document Macro Spawning cmd.exe

    Expected signal: Sysmon Event ID 1: wscript.exe Process Create with CommandLine containing df00tech_test.vbs. Second Sysmon Event ID 1: cmd.exe Process Create with ParentImage=wscript.exe and CommandLine containing whoami. Sysmon Event ID 11: File Create for df00tech_result.txt in %TEMP%.

  2. Test 2Simulated ClickFix / Clipboard Paste Execution (Lumma Stealer Pattern)

    Expected signal: Sysmon Event ID 1: powershell.exe Process Create with CommandLine containing '-enc' and a Base64 string. ParentImage will be powershell.exe (the launcher). PowerShell ScriptBlock Log Event ID 4104 will show decoded content 'Write-Output ClickFix-Test-df00tech'. In a real ClickFix scenario, the parent would be explorer.exe (Run dialog) spawning powershell.exe with -enc.

  3. Test 3Remote Access Tool Execution Simulating Social Engineering

    Expected signal: Sysmon Event ID 11: File Create for AnyDesk.exe in %USERPROFILE%\Downloads\ with initiating process curl.exe. Zone.Identifier ADS written to AnyDesk.exe confirming ZoneId=3 (Internet). If the binary is then executed (in a controlled lab), Sysmon Event ID 1: AnyDesk.exe Process Create with ParentImage=explorer.exe and FolderPath containing \Downloads\.

  4. Test 4Malicious LNK File Execution from Removable Media (Raspberry Robin Pattern)

    Expected signal: Sysmon Event ID 11: File Create for df00tech_lnk_test.lnk in %TEMP%. Sysmon Event ID 1: cmd.exe Process Create with ParentImage=explorer.exe (shell invocation) and CommandLine containing 'LNK-Execution-Test-df00tech'. The FolderPath for cmd.exe will be %TEMP%, which matches the user-writable path detection branch.

Last updated: 2026-04-19 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1204 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (5)

Related Techniques

T1566PhishingT1566.001Spearphishing AttachmentT1566.002Spearphishing LinkT1204.001Malicious LinkT1204.002Malicious FileT1204.003Malicious ImageT1204.004Malicious Copy and PasteT1219Remote Access ToolsT1059.001PowerShellT1059.005Visual BasicT1059.007JavaScriptT1027Obfuscated Files or InformationT1105Ingress Tool TransferT1534Internal Spearphishing

Same Tactic: Execution

Popular Detections