Detect User Execution in Microsoft Sentinel
Adversaries rely on specific actions by a user to gain execution. Users are subjected to social engineering to execute malicious code by opening malicious document files, clicking links, running copy-pasted commands, or installing remote access tools under false pretenses. This technique frequently follows phishing (T1566) and encompasses a wide range of deceptive methods including malicious Office documents spawning shells, fake CAPTCHAs instructing users to paste PowerShell into Run dialogs (ClickFix/ClearFake), tech support scams prompting RAT installation, and malicious LNK files on removable media. Threat groups including Scattered Spider, LAPSUS$, and malware families like Lumma Stealer and Raspberry Robin rely heavily on user-initiated execution to bypass automated defenses.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1204 User Execution
- Canonical reference
- https://attack.mitre.org/techniques/T1204/
KQL Detection Query
let OfficeAndDocApps = dynamic([
"WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "OUTLOOK.EXE",
"MSPUB.EXE", "ONENOTE.EXE", "VISIO.EXE",
"acrord32.exe", "acrobat.exe", "foxitreader.exe",
"chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "opera.exe"
]);
let ShellInterpreters = dynamic([
"cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe",
"cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe",
"certutil.exe", "bitsadmin.exe"
]);
let RATBinaries = dynamic([
"anydesk.exe", "teamviewer.exe", "screenconnect.exe",
"connectwisecontrol.exe", "splashtopstreamer.exe", "ultraviewer.exe",
"rustdesk.exe", "supremo.exe", "ammyy admin.exe", "radmin.exe",
"atera_agent.exe", "level.exe", "fleetdeck.exe", "netsupport.exe"
]);
let UserWritablePaths = dynamic([
"\\Downloads\\", "\\Desktop\\",
"\\AppData\\Local\\Temp\\", "\\Users\\Public\\",
"\\AppData\\Roaming\\"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| extend IsOfficeOrBrowserParent = InitiatingProcessFileName has_any (OfficeAndDocApps)
| extend IsShellChild = FileName has_any (ShellInterpreters)
| extend IsRATExecution = FileName has_any (RATBinaries)
| extend IsUserDirExec = FolderPath has_any (UserWritablePaths)
and FileName endswith ".exe"
and InitiatingProcessFileName =~ "explorer.exe"
// Exclude common legitimate browser-spawned updaters
| where not (
IsUserDirExec
and FileName in~ ("OneDriveSetup.exe", "Teams.exe", "Slack.exe",
"Zoom.exe", "update.exe", "setup.exe")
)
| extend OfficeShellSpawn = IsOfficeOrBrowserParent and IsShellChild
| where OfficeShellSpawn or IsRATExecution or IsUserDirExec
| extend DetectionCategory = case(
OfficeShellSpawn, "Office/Browser Shell Spawn",
IsRATExecution, "Remote Access Tool Execution (Possible Social Engineering)",
"Executable Launched from User-Writable Directory"
)
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
ProcessCommandLine, InitiatingProcessFileName,
InitiatingProcessCommandLine, DetectionCategory
| sort by Timestamp descDetects three primary User Execution patterns using Microsoft Defender for Endpoint DeviceProcessEvents. First, it identifies Office applications, PDF readers, and browsers spawning shell interpreters (cmd, PowerShell, wscript, mshta), which is the classic malicious document execution chain. Second, it detects known remote access tool (RAT) binaries being executed from user-facing parent processes, consistent with tech support scam or social engineering scenarios used by Scattered Spider and LAPSUS$. Third, it identifies arbitrary executables launched by explorer.exe (user double-clicked) from user-writable paths such as Downloads and Desktop, which are common staging directories for delivered payloads.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate IT-deployed remote access tools (AnyDesk, TeamViewer, ScreenConnect) installed by helpdesk staff — these should appear with MSI/SCCM parent processes rather than browsers or explorer.exe
- Developers running scripts directly from their Downloads or Desktop folder — allowlist known developer workstations or specific AccountNames with documented exceptions
- Office macros used by finance or operations teams for legitimate automation — document and allowlist specific macro-enabled workbooks and the user accounts that run them
- Browser-spawned update helpers or credential managers that briefly launch from AppData\Roaming — build a baseline of expected binaries per application
Other platforms for T1204
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Malicious Office Document Macro Spawning cmd.exe
Expected signal: Sysmon Event ID 1: wscript.exe Process Create with CommandLine containing df00tech_test.vbs. Second Sysmon Event ID 1: cmd.exe Process Create with ParentImage=wscript.exe and CommandLine containing whoami. Sysmon Event ID 11: File Create for df00tech_result.txt in %TEMP%.
- Test 2Simulated ClickFix / Clipboard Paste Execution (Lumma Stealer Pattern)
Expected signal: Sysmon Event ID 1: powershell.exe Process Create with CommandLine containing '-enc' and a Base64 string. ParentImage will be powershell.exe (the launcher). PowerShell ScriptBlock Log Event ID 4104 will show decoded content 'Write-Output ClickFix-Test-df00tech'. In a real ClickFix scenario, the parent would be explorer.exe (Run dialog) spawning powershell.exe with -enc.
- Test 3Remote Access Tool Execution Simulating Social Engineering
Expected signal: Sysmon Event ID 11: File Create for AnyDesk.exe in %USERPROFILE%\Downloads\ with initiating process curl.exe. Zone.Identifier ADS written to AnyDesk.exe confirming ZoneId=3 (Internet). If the binary is then executed (in a controlled lab), Sysmon Event ID 1: AnyDesk.exe Process Create with ParentImage=explorer.exe and FolderPath containing \Downloads\.
- Test 4Malicious LNK File Execution from Removable Media (Raspberry Robin Pattern)
Expected signal: Sysmon Event ID 11: File Create for df00tech_lnk_test.lnk in %TEMP%. Sysmon Event ID 1: cmd.exe Process Create with ParentImage=explorer.exe (shell invocation) and CommandLine containing 'LNK-Execution-Test-df00tech'. The FolderPath for cmd.exe will be %TEMP%, which matches the user-writable path detection branch.
References (10)
- https://attack.mitre.org/techniques/T1204/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/
- https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn
- https://blog.talosintelligence.com/roblox-scam-overview/
- https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/
- https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
Unlock Pro Content
Get the full detection package for T1204 including response playbook, investigation guide, and atomic red team tests.