User Execution T1204
An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.
Events covered
30 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 143 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (56 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (921 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (192 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 47 rules
- AppLocker Prevented Application or Script from Running
- Arbitrary Shell Command Execution Via Settingcontent-Ms
- CLR DLL Loaded Via Office Applications
- DarkSide Ransomware Pattern
- DotNET Assembly DLL Loaded Via Office Application
- Droppers Exploiting CVE-2017-11882
- Edge abuse for payload download via console
- Edge/Chrome headless feature abuse for payload download
- Exploit for CVE-2017-0261
- Exploit for CVE-2017-8759
- File With Uncommon Extension Created By An Office Application
- FileFix - Command Evidence in TypedPaths
- GAC DLL Loaded Via Office Applications
- HackTool - LittleCorporal Generated Maldoc Injection
- Kapeka Backdoor Loaded Via Rundll32.EXE
- Microsoft Excel Add-In Loaded
- Microsoft Excel Add-In Loaded From Uncommon Location
- Microsoft VBA For Outlook Addin Loaded Via Outlook
- Microsoft Word Add-In Loaded
- MMC Executing Files with Reversed Extensions Using RTLO Abuse
- New Application in AppCompat
- Potential ClickFix Execution Pattern - Registry
- Potential Maze Ransomware Activity
- Potential Snatch Ransomware Activity
- Potential Suspicious Browser Launch From Document Reader Process
- Potentially Suspicious WebDAV LNK Execution
- PrinterNightmare Mimikatz Driver Name
- Remote DLL Load Via Rundll32.EXE
- Successful MSIX/AppX Package Installation
- Suspicious Binaries and Scripts in Public Folder
- Suspicious Binary In User Directory Spawned From Office Application
- Suspicious ClickFix/FileFix Execution Pattern
- Suspicious Deno File Written from Remote Source
- Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
- Suspicious FileFix Execution Pattern
- Suspicious LNK Command-Line Padding with Whitespace Characters
- Suspicious Microsoft Office Child Process
- Suspicious Outlook Child Process
- Suspicious Space Characters in RunMRU Registry Path - ClickFix
- Suspicious Space Characters in TypedPaths Registry Path - FileFix
- Suspicious Startup Folder Persistence
- Suspicious WMIC Execution Via Office Process
- Suspicious WmiPrvSE Child Process
- VBA DLL Loaded Via Office Application
- Windows AppX Deployment Full Trust Package Installation
- Windows AppX Deployment Unsigned Package Installation
- Windows MSIX Package Support Framework AI_STUBS Execution
Elastic 29 rules
- Creation of SettingContent-ms Files
- Downloaded Shortcut Files
- Downloaded URL Files
- Executable File Creation with Multiple Extensions
- Execution of a Downloaded Windows Script
- Execution of File Written or Modified by Microsoft Office
- File with Right-to-Left Override Character (RTLO) Created/Executed
- File with Suspicious Extension Downloaded
- Microsoft Build Engine Started by an Office Application
- Microsoft Management Console File from Unusual Path
- MS Office Macro Security Registry Modifications
- Network Connection via Compiled HTML File
- Potential Execution via FileFix Phishing Attack
- Potential Fake CAPTCHA Phishing Attack
- Potential Masquerading as Business App Installer
- Potential Notepad Markdown RCE Exploitation
- Process Activity via Compiled HTML File
- Remote Desktop File Opened from Suspicious Path
- Suspicious Execution from a Mounted Device
- Suspicious Execution from a WebDav Share
- Suspicious Execution from INET Cache
- Suspicious Execution from VS Code Extension
- Suspicious Execution via Microsoft Office Add-Ins
- Suspicious HTML File Creation
- Suspicious MS Outlook Child Process
- Suspicious PDF Reader Child Process
- Suspicious Troubleshooting Pack Cabinet Execution
- Unusual Execution via Microsoft Common Console File
- Windows Script Execution from Archive
Splunk 62 rules
- 3CXDesktopApp.exe Execution (EDR)
- 3CXDesktopApp.exe Execution (Sysmon)
- 3CXDesktopApp.exe Execution (Windows Event Log)
- Batch File Write to System32
- Clop Common Exec Parameter
- Command Line Spawned by Archive Utility - Windows (Sysmon)
- Command Line Spawned by Archive Utility - Windows (Windows Event Log)
- Conti Common Exec parameter
- CVE-2022-30190: Microsoft Office Code Execution Vulnerability (EDR)
- CVE-2022-30190: Microsoft Office Code Execution Vulnerability (Sysmon)
- CVE-2022-30190: Microsoft Office Code Execution Vulnerability (Windows Event Log)
- Detect Rare Executables
- Drop IcedID License dat
- Executable Process from Suspicious Folder (PowerShell)
- Executable Process from Suspicious Folder (Sysmon)
- Executable Process from Suspicious Folder (Windows Event Log)
- Explorer Child Process with Suspicious Command Line Padding (Sysmon)
- ISO File in Temp Folder (Windows Event Log)
- ISO Image Mounted - Windows (PowerShell)
- ISO Image Mounted - Windows (Windows Event Log)
- Malicious Document Execution (Sysmon)
- Malicious Document Execution (Windows Event Log)
- Microsoft Diagnostic Tool "DogWalk" Package Path Traversal (EDR)
- Microsoft Diagnostic Tool "DogWalk" Package Path Traversal (Sysmon)
- Microsoft Diagnostic Tool "DogWalk" Package Path Traversal (Windows Event Log)
- Office Spawns Suspicious Child Process (Sysmon)
- Office Spawns Suspicious Child Process (Windows Event Log)
- Potential CVE-2024-21413: Outbound SMB from Outlook (Sysmon)
- Potential CVE-2024-21413: Outbound SMB from Outlook (Windows Event Log)
- Process Executed from Downloads Folder - Windows (Sysmon)
- Process Executed from Downloads Folder - Windows (Windows Event Log)
- Rare executable from Microsoft Office (Sysmon)
- Rare executable from Microsoft Office (Windows Event Log)
- Rare Process Execution (Sysmon)
- Rare Process Execution (Windows Event Log)
- Revil Common Exec Parameter
- Single Letter Process On Endpoint
- Suspicious Process Executed From Container File
- Symbolic OR Hard File Link Created (PowerShell)
- Symbolic OR Hard File Link Created (Windows Event Log)
- WebDAV LNK Execution (Sysmon)
- WebDAV LNK Execution (Windows Event Log)
- Windows Advanced Installer MSIX with AI_STUBS Execution
- Windows AppX Deployment Full Trust Package Installation
- Windows AppX Deployment Package Installation Success
- Windows AppX Deployment Unsigned Package Installation
- Windows Binary Execution from an Archive
- Windows Default Cobalt Strike PowerShell Beacon
- Windows Developer-Signed MSIX Package Installation
- Windows EFI Volume Mount Attempt Via Mountvol
- Windows Explorer LNK Exploit Process Launch With Padding
- Windows Explorer.exe Spawning PowerShell or Cmd
- Windows ISO LNK File Creation
- Windows MSIX Package Interaction
- Windows Mustang Panda USB Tool Execution
- Windows NorthStar C2 Agent Execution
- Windows PowerShell FakeCAPTCHA Clipboard Execution
- Windows PowerShell Script From WindowsApps Directory
- Windows Suspect Process With Authentication Traffic
- Windows Suspicious QEMU Execution
- Windows Universal Data Link File Creation
- Windows User Execution Malicious URL Shortcut File