DET0294: User Execution – Malicious File via download/open → spawn chain (T1204.002)
DET0294 is a detection strategy for user execution of a malicious file, where a downloaded or opened file leads to a process spawn chain. Its business sign...
Analyst context for executives and security teams
DET0294 is a detection strategy for user execution of a malicious file, where a downloaded or opened file leads to a process spawn chain. Its business significance is that execution may depend on a normal user action, so prevention and detection cannot rely only on blocking inbound files; teams need evidence that endpoint, email/web, and process telemetry can connect the user-opened file to the follow-on execution behavior.
Executive priority
Prioritize this as an execution-stage control validation problem. Leaders should ask whether the organization can prove, during an incident or audit, which user opened a suspicious file, where it came from, what process it launched, and whether follow-on execution was contained. This is especially relevant to SOC readiness, incident response scoping, user-risk reduction, and control investment around endpoint visibility, email/web ingress, and identity-aware response workflows.
Technical view
The supplied relationship says this strategy detects ATT&CK T1204.002 Malicious File, an execution technique across Linux, macOS, and Windows. SOC and detection teams should validate correlation from file acquisition or open events into process creation and child-process chains. Detection logic should focus on suspicious parent-child relationships after a user opens common document, archive, shortcut, disk image, script, registry, or executable file types referenced by the related technique. IR teams should be able to pivot from the opened file to user, host, file path/hash, parent process, child processes, and any subsequent execution activity.
Likely telemetry
- Endpoint process creation telemetry with parent/child process context
- File creation, download, open, and execution metadata
- Email attachment and web download records where available
- File reputation, hash, path, extension, and origin metadata
- User and host context for the account that opened the file
Detection direction
- Validate that detection content links the user-opened or downloaded file to the spawned process chain rather than alerting only on the file extension.
- Tune for suspicious parent-child process combinations and unusual execution after document, PDF, spreadsheet, RTF, shortcut, executable, registry, control panel, or disk image files, while accounting for legitimate business tools that may spawn helpers.
- Confirm coverage across the operating systems in scope for the related technique: Linux, macOS, and Windows.
- Use relationship context to triage this as execution behavior associated with T1204.002, and pivot to possible initial access context such as spearphishing attachment only when local evidence supports it.
- Check blind spots where telemetry captures the file but not the process tree, or captures process creation without file origin/user-open context.
Mitigation priorities
- Ensure endpoint visibility can preserve process lineage and file metadata needed for incident scoping.
- Harden file handling controls for risky attachment and downloaded file types in line with business need.
- Strengthen user-facing controls and awareness around opening unexpected files, especially where email or web delivery is common.
- Integrate SOC playbooks so alerts on suspicious spawn chains trigger rapid containment, file collection, hash/path review, and user/host scoping.
- Use detection validation results to prioritize gaps in endpoint logging, email/web security evidence, and incident response procedures.
Analyst notes and limits
This take is based on the ATT&CK detection strategy name, external reference DET0294, and its relationship to T1204.002 Malicious File. The object itself has no official description, no official detection text, and no platforms or tactics directly specified; platform and tactic context comes from the related ATT&CK technique.
Because the detection strategy record is sparse, this summary cannot assert specific analytics, data source requirements, vendor controls, exploitation prevalence, attribution, or guaranteed detection. Local telemetry, file-handling workflows, operating systems, and SOC tooling determine practical coverage.
User Execution – Malicious File via download/open → spawn chain (T1204.002)
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1204.002 | Malicious File Sub-technique | This object detects Malicious File. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5868bde4b826… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0294Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.