Detect User Execution in Splunk
Adversaries rely on specific actions by a user to gain execution. Users are subjected to social engineering to execute malicious code by opening malicious document files, clicking links, running copy-pasted commands, or installing remote access tools under false pretenses. This technique frequently follows phishing (T1566) and encompasses a wide range of deceptive methods including malicious Office documents spawning shells, fake CAPTCHAs instructing users to paste PowerShell into Run dialogs (ClickFix/ClearFake), tech support scams prompting RAT installation, and malicious LNK files on removable media. Threat groups including Scattered Spider, LAPSUS$, and malware families like Lumma Stealer and Raspberry Robin rely heavily on user-initiated execution to bypass automated defenses.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1204 User Execution
- Canonical reference
- https://attack.mitre.org/techniques/T1204/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval ParentImageLower=lower(ParentImage)
| eval ImageLower=lower(Image)
| eval CommandLineLower=lower(CommandLine)
| eval FolderPath=lower(replace(Image, "[^\\\\/]+$", ""))
| eval IsOfficeOrBrowserParent=if(
match(ParentImageLower,
"(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|mspub\.exe|onenote\.exe|visio\.exe|acrord32\.exe|acrobat\.exe|foxitreader\.exe|chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe)"),
1, 0)
| eval IsShellChild=if(
match(ImageLower,
"(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe)"),
1, 0)
| eval IsRATExecution=if(
match(ImageLower,
"(anydesk\.exe|teamviewer\.exe|screenconnect\.exe|connectwisecontrol\.exe|splashtopstreamer\.exe|ultraviewer\.exe|rustdesk\.exe|supremo\.exe|radmin\.exe|atera_agent\.exe|netsupport\.exe)"),
1, 0)
| eval IsUserDirExec=if(
match(lower(Image), "(\\\\downloads\\\\|\\\\desktop\\\\|\\\\appdata\\\\local\\\\temp\\\\|\\\\users\\\\public\\\\|\\\\appdata\\\\roaming\\\\)")
AND match(ImageLower, "\.exe$")
AND match(ParentImageLower, "explorer\.exe"),
1, 0)
| eval OfficeShellSpawn=if(IsOfficeOrBrowserParent=1 AND IsShellChild=1, 1, 0)
| where OfficeShellSpawn=1 OR IsRATExecution=1 OR IsUserDirExec=1
| eval DetectionCategory=case(
OfficeShellSpawn=1, "Office/Browser Shell Spawn",
IsRATExecution=1, "Remote Access Tool Execution",
1=1, "Executable from User-Writable Directory")
| where NOT (IsUserDirExec=1 AND match(ImageLower, "(onedrive|teams\.exe|slack\.exe|zoom\.exe|update\.exe|setup\.exe)"))
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionCategory
| sort - _timeDetects User Execution patterns using Sysmon Event ID 1 (Process Creation) in Splunk. Evaluates three detection categories: Office or browser applications spawning shell interpreters (strong indicator of malicious document execution), known remote access tool binaries launched interactively (consistent with social engineering campaigns by Scattered Spider and LAPSUS$), and executables double-clicked by users from writable directories like Downloads, Desktop, and AppData Temp. The eval chain builds boolean indicators per event and a DetectionCategory label to triage without ambiguity.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Helpdesk-deployed remote access tools installed by IT through approved channels — parent process will be msiexec.exe or a management agent rather than browser or explorer.exe
- Developers running build scripts or installers directly from Desktop or Downloads — expected on developer workstations; scope alerts to non-developer OUs or asset groups
- Finance team Excel macros invoking cmd.exe for legacy automation — document and exclude specific workbook paths and associated user accounts after review
- Browser extensions that spawn helper processes — typically spawn from a versioned subdirectory of AppData, not the root Downloads or Desktop paths
Other platforms for T1204
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Malicious Office Document Macro Spawning cmd.exe
Expected signal: Sysmon Event ID 1: wscript.exe Process Create with CommandLine containing df00tech_test.vbs. Second Sysmon Event ID 1: cmd.exe Process Create with ParentImage=wscript.exe and CommandLine containing whoami. Sysmon Event ID 11: File Create for df00tech_result.txt in %TEMP%.
- Test 2Simulated ClickFix / Clipboard Paste Execution (Lumma Stealer Pattern)
Expected signal: Sysmon Event ID 1: powershell.exe Process Create with CommandLine containing '-enc' and a Base64 string. ParentImage will be powershell.exe (the launcher). PowerShell ScriptBlock Log Event ID 4104 will show decoded content 'Write-Output ClickFix-Test-df00tech'. In a real ClickFix scenario, the parent would be explorer.exe (Run dialog) spawning powershell.exe with -enc.
- Test 3Remote Access Tool Execution Simulating Social Engineering
Expected signal: Sysmon Event ID 11: File Create for AnyDesk.exe in %USERPROFILE%\Downloads\ with initiating process curl.exe. Zone.Identifier ADS written to AnyDesk.exe confirming ZoneId=3 (Internet). If the binary is then executed (in a controlled lab), Sysmon Event ID 1: AnyDesk.exe Process Create with ParentImage=explorer.exe and FolderPath containing \Downloads\.
- Test 4Malicious LNK File Execution from Removable Media (Raspberry Robin Pattern)
Expected signal: Sysmon Event ID 11: File Create for df00tech_lnk_test.lnk in %TEMP%. Sysmon Event ID 1: cmd.exe Process Create with ParentImage=explorer.exe (shell invocation) and CommandLine containing 'LNK-Execution-Test-df00tech'. The FolderPath for cmd.exe will be %TEMP%, which matches the user-writable path detection branch.
References (10)
- https://attack.mitre.org/techniques/T1204/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/
- https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn
- https://blog.talosintelligence.com/roblox-scam-overview/
- https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/
- https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
Unlock Pro Content
Get the full detection package for T1204 including response playbook, investigation guide, and atomic red team tests.