T1204: User Execution
| View on MITRE ATT&CK | T1204 |
|---|---|
| Tactic(s) | Execution |
Data from MITRE ATT&CK®:
An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.
While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.
Adversaries may also deceive users into performing actions such as enabling Remote Access Software, allowing direct control of the system to the adversary, or downloading and executing malware for User Execution. For example, tech support scams can be facilitated through Phishing, vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or Remote Access Software.(Citation: Telephone Attack Delivery)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
Threat Assessment: EKANS Ransomware
This threat assessment from researchers at Palo Alto's Unit 42 covers the EKANS ransomware. According to the report, EKANS was first observed in ...
GhostSec’s joint ransomware operation and evolution of their arsenal
This Threat Spotlight from Cisco Talos describes the evolution of GhostSec's ransomware operations including their work with the Stormous ...
Scattered Spider Advisory AA23-320A
This advisory from CISA outlines tactics, techniques and procedures used by the Scattered Spider threat actors, as observed by the FBI up until ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Network Intrusion Prevention
Use intrusion detection signatures to block traffic at network boundaries.Behavior Prevention on Endpoint
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.User Training
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.Restrict Web-Based Content
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.Execution Prevention
Block execution of code on a system through application control, and/or script blocking.How to detect this technique
MITRE ATT&CK Data Components
Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Network Connection Creation (Network Traffic)
Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Network Traffic Content (Network Traffic)
Logged network traffic data showing both protocol header and body values (ex: PCAP)Instance Creation (Instance)
Initial construction of a new instance (ex: instance.insert within GCP Audit Logs)Container Start (Container)
Activation or invocation of a container (ex: docker start or docker restart)File Creation (File)
Initial construction of a new file (ex: Sysmon EID 11)Image Creation (Image)
Initial construction of a virtual machine image (ex: Azure Compute Service Images PUT)Application Log Content (Application Log)
Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)Instance Start (Instance)
Activation or invocation of an instance (ex: instance.start within GCP Audit Logs)Container Creation (Container)
Initial construction of a new container (ex: docker create <container_name>)Sigma Detections for this Technique
Payload Decoded and Decrypted via Built-in Utilities
Potentially Suspicious WebDAV LNK Execution
Antivirus Hacktool Detection
Arbitrary Shell Command Execution Via Settingcontent-Ms
PrinterNightmare Mimikatz Driver Name
Suspicious Execution via macOS Script Editor
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.