title: Malicious File (T1204.002)
id: df00tech-t1204-002
status: experimental
description: "Adversaries rely on users opening malicious files to gain code execution. Files delivered via spearphishing attachments or placed in shared directories include .doc, .xls, .pdf, .rtf, .scr, .exe, .lnk, .pif, .cpl, .iso, and others. Social engineering lures users into enabling macros, extracting archives, or double-clicking payloads. Execution typically manifests as an Office application, PDF reader, or shell process spawning a scripting engine, command interpreter, or LOLBin as a child process."
references:
  - https://attack.mitre.org/techniques/T1204/002/
  - https://df00tech.com/detections/T1204.002
author: df00tech
date: 2026/04/19
tags:
  - attack.t1204.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate macro-enabled documents used by finance or HR teams that spawn cmd.exe or PowerShell for approved business automation
  - "IT software installation packages that extract and run executables from the user's Downloads or Temp folder (e.g., offline installers)"
  - PDF forms with embedded JavaScript that invoke Acrobat helper processes for printing or submission
  - "Developer toolchains that invoke build scripts (MSBuild, cscript) from project directories under AppData"
level: high