detection.wiki

User Execution: Malicious File T1204.002

Tactic: Execution

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, .reg, and .iso.

Events covered

25 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 3Network connection
SysmonEvent ID 7Image loaded
SysmonEvent ID 10ProcessAccess
SysmonEvent ID 11FileCreate
SysmonEvent ID 12RegistryEvent (Object create and delete)
SysmonEvent ID 13RegistryEvent (Value Set)
SysmonEvent ID 14RegistryEvent (Key and Value Rename)
Security-AuditingEvent ID 4656A handle to an object was requested.
Security-AuditingEvent ID 4663An attempt was made to access an object.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 5156The Windows Filtering Platform has permitted a connection.
ESFexecProcess Execution (Notify)
ESFwriteFile Write (NOTIFY)
AppLockerEvent ID 8004FilePathBuffer was prevented from running.
AppLockerEvent ID 8007FilePathBuffer was prevented from running.
AppLockerEvent ID 8022PackageBuffer was prevented from running.
AppLockerEvent ID 8025PackageBuffer was prevented from running.
AppXDeployment-ServerEvent ID 400Deployment DeploymentOperation operation with target volume MountPoint on Package PackageFullName from: Path finished successfully.
AppXDeployment-ServerEvent ID 603Started deployment DeploymentOperation operation on a package with main parameter Path and Options Flags and FlagsHigh.
AppXDeployment-ServerEvent ID 854Successfully added the following uri(s) to be processed: Path.
AppXDeployment-ServerEvent ID 855Finished resolving action lists.
AppxPackagingOMEvent ID 171The reader was created successfully for app package packageFullName.
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 145 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (93 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
process_name42eq 23, in 11, match 6, starts_with 5, wildcard 4, ne 2, contains 1, regex_match 1cmd.exe, base16, base32, base64, cscript.exe
event.type37eq 37, ne 1start, creation, denied, allowed, change
Image35ends_with 24, wildcard 4, contains 3, in 3, starts_with 2, match 1, regex_match 1\excel.exe, \mspub.exe, \onenote.exe, ?:\users\*\downloads\*, \appvlp.exe
EventID34eq 31, in 2, regex_match 11, 4688, 4104, malicious_file, 4663
parent_process_name28eq 14, match 9, in 3, regex_match 3explorer.exe, 7zFM.exe, (?i)(Microsoft..., winrar.exe, (?i)((WINWORD\.EXE)|(EXCEL\.EXE)|(POWERPNT\.EXE)|(MSACCES...
CommandLine21contains 11, wildcard 5, match 4, in 3, regex_match 3, ends_with 2, length_compare 1(?i)PCWDiagnostic|invoke, *-*d*, b64decode, cscript,
ParentImage18ends_with 12, contains 4, is_not_null 2, eq 1\eqnedt32.exe, \excel.exe, \msaccess.exe, \winword.exe, \\explorer.exe
EventType16eq 13, in 4exec, ProcessRollup2, creation, start, exec_event
process.args15eq 6, wildcard 6, contains 5, starts_with 4, in 3, ends_with 1*-*d*, -c, *lua*, *perl*, -*p*
ImageLoaded10ends_with 5, contains 3, starts_with 3, regex_match 1.xll, .wll, :\programdata, [a-za-z]{5,6}\.wll, \\\\
OriginalFileName10eq 10cmd.exe, popupwrapper.exe, powershell.exe, powershell_ise.exe, bitsadmin.exe
TargetFilename10contains 4, ends_with 3, wildcard 3, in 1, match 1, starts_with 1.bat, .cmd, (?i)\x5cdevice\x5ccdrom, *\\system32\\*, *\\syswow64\\*
Type10eq 10
host.os.type10eq 10
file.extension8eq 7, in 1exe, appinstaller, application, appx, bat

Top indicator values (1125 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
29606
event.typeeq
creation
645
EventIDeq
1
9237
EventIDeq
4688
8313
process_nameeq
cmd.exe
977
process_nameeq
powershell.exe
9104
process_nameeq
pwsh.exe
862
process_nameeq
wscript.exe
829
process_nameeq
mshta.exe
731
process_nameeq
cscript.exe
625
process_nameeq
bitsadmin.exe
514
process_nameeq
msiexec.exe
522
Imageends_with
\excel.exe
718
Imageends_with
\winword.exe
720
Imageends_with
\mspub.exe
510
Imageends_with
\outlook.exe
514
Imageends_with
\powerpnt.exe
515
Imageends_with
\onenote.exe
46
parent_process_nameeq
explorer.exe
720
EventTypeeq
exec
6171
ParentImageends_with
\winword.exe
610
process_namein
base16
56
process_namein
base32
57
process_namein
base64
58
process_namein
base64mime
55
process_namein
base64pem
55
process_namein
base64plain
55
process_namein
base64url
55
process_namestarts_with
perl
520
process_namestarts_with
ruby
521

Exclusions (280 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
CurrentDirectorywildcard
/opt/zeek
2
CurrentDirectorywildcard
/proc/self/fd/*/usr/local/zeek
2
CurrentDirectorywildcard
/usr/local/zeek
2
CurrentDirectorywildcard
/usr/local/zeek_old_install
2
CurrentDirectorywildcard
/var/lib/docker/overlay2/*/opt/zeek
2
CurrentDirectorywildcard
/var/lib/docker/overlay2/*/usr/local/zeek
2
ParentCommandLinecontains
extendedglob
2
parent_process_nameeq
zsh
2
process.code_signature.trustedeq
true
2
process_nameeq
cmd.exe
2
ActualActioncontains
cleaned
1
CallingProcessstarts_with
svchost.exe,AppReadiness
1
CallingProcessstarts_with
sysprep.exe
1
CommandLinecontains
$cffixed_user_home/.zoterointegrationpipe
1
CommandLinecontains
/i
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 36 rules

Elastic 49 rules

Splunk 47 rules

Kusto 7 rules

YARA-L 3 rules

Panther 3 rules