Detect User Execution in Sumo Logic CSE
Adversaries rely on specific actions by a user to gain execution. Users are subjected to social engineering to execute malicious code by opening malicious document files, clicking links, running copy-pasted commands, or installing remote access tools under false pretenses. This technique frequently follows phishing (T1566) and encompasses a wide range of deceptive methods including malicious Office documents spawning shells, fake CAPTCHAs instructing users to paste PowerShell into Run dialogs (ClickFix/ClearFake), tech support scams prompting RAT installation, and malicious LNK files on removable media. Threat groups including Scattered Spider, LAPSUS$, and malware families like Lumma Stealer and Raspberry Robin rely heavily on user-initiated execution to bypass automated defenses.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1204 User Execution
- Canonical reference
- https://attack.mitre.org/techniques/T1204/
Sumo Detection Query
_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/process
| json field=_raw "EventID", "ParentImage", "Image", "CommandLine", "ParentCommandLine", "User", "Computer" nodrop
| where EventID = "1"
| toLowerCase(ParentImage) as parent_lower
| toLowerCase(Image) as image_lower
| eval office_or_browser_parent = if(
parent_lower matches "*(winword.exe|excel.exe|powerpnt.exe|outlook.exe|mspub.exe|onenote.exe|visio.exe|acrord32.exe|acrobat.exe|foxitreader.exe|chrome.exe|msedge.exe|firefox.exe|iexplore.exe|opera.exe)*",
1, 0)
| eval shell_child = if(
image_lower matches "*(cmd.exe|powershell.exe|pwsh.exe|wscript.exe|cscript.exe|mshta.exe|rundll32.exe|regsvr32.exe|certutil.exe|bitsadmin.exe)*",
1, 0)
| eval rat_execution = if(
image_lower matches "*(anydesk.exe|teamviewer.exe|screenconnect.exe|connectwisecontrol.exe|splashtopstreamer.exe|ultraviewer.exe|rustdesk.exe|supremo.exe|radmin.exe|atera_agent.exe|netsupport.exe)*",
1, 0)
| eval user_dir_exec = if(
image_lower matches "*(\\downloads\\|\\desktop\\|\\appdata\\local\\temp\\|\\users\\public\\|\\appdata\\roaming\\)*"
and image_lower matches "*.exe"
and parent_lower matches "*explorer.exe*",
1, 0)
| eval office_shell_spawn = if(office_or_browser_parent = 1 and shell_child = 1, 1, 0)
| where office_shell_spawn = 1 or rat_execution = 1 or user_dir_exec = 1
| where not (
user_dir_exec = 1
and image_lower matches "*(onedrive|teams.exe|slack.exe|zoom.exe|update.exe|setup.exe)*"
)
| eval detection_category = if(office_shell_spawn = 1, "Office/Browser Shell Spawn",
if(rat_execution = 1, "Remote Access Tool Execution",
"Executable from User-Writable Directory"))
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, detection_category
| sort by _messageTime descDetects T1204 User Execution in Sumo Logic using Sysmon process creation events. Evaluates three behavioral patterns aligned with common social engineering TTPs: office and browser applications spawning shell interpreters (document-based phishing), remote access tool execution (tech support scams and impersonation), and explorer-spawned executables from user-writable locations (ClickFix, drive-by downloads). Uses Sumo Logic eval and pattern matching with toLowerCase normalization for reliable case-insensitive comparisons.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate business macros in Excel or Word that invoke cmd.exe or PowerShell for ETL tasks, report generation, or workflow automation in enterprise environments
- IT-approved remote access tools installed as part of managed service agreements or active helpdesk support sessions
- End-user installation of legitimate productivity software downloaded from the internet and run via explorer from the Downloads folder
Other platforms for T1204
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Malicious Office Document Macro Spawning cmd.exe
Expected signal: Sysmon Event ID 1: wscript.exe Process Create with CommandLine containing df00tech_test.vbs. Second Sysmon Event ID 1: cmd.exe Process Create with ParentImage=wscript.exe and CommandLine containing whoami. Sysmon Event ID 11: File Create for df00tech_result.txt in %TEMP%.
- Test 2Simulated ClickFix / Clipboard Paste Execution (Lumma Stealer Pattern)
Expected signal: Sysmon Event ID 1: powershell.exe Process Create with CommandLine containing '-enc' and a Base64 string. ParentImage will be powershell.exe (the launcher). PowerShell ScriptBlock Log Event ID 4104 will show decoded content 'Write-Output ClickFix-Test-df00tech'. In a real ClickFix scenario, the parent would be explorer.exe (Run dialog) spawning powershell.exe with -enc.
- Test 3Remote Access Tool Execution Simulating Social Engineering
Expected signal: Sysmon Event ID 11: File Create for AnyDesk.exe in %USERPROFILE%\Downloads\ with initiating process curl.exe. Zone.Identifier ADS written to AnyDesk.exe confirming ZoneId=3 (Internet). If the binary is then executed (in a controlled lab), Sysmon Event ID 1: AnyDesk.exe Process Create with ParentImage=explorer.exe and FolderPath containing \Downloads\.
- Test 4Malicious LNK File Execution from Removable Media (Raspberry Robin Pattern)
Expected signal: Sysmon Event ID 11: File Create for df00tech_lnk_test.lnk in %TEMP%. Sysmon Event ID 1: cmd.exe Process Create with ParentImage=explorer.exe (shell invocation) and CommandLine containing 'LNK-Execution-Test-df00tech'. The FolderPath for cmd.exe will be %TEMP%, which matches the user-writable path detection branch.
References (10)
- https://attack.mitre.org/techniques/T1204/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/
- https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn
- https://blog.talosintelligence.com/roblox-scam-overview/
- https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/
- https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
Unlock Pro Content
Get the full detection package for T1204 including response playbook, investigation guide, and atomic red team tests.