An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.
While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-4 | Information Flow Enforcement | Protects | T1204 | User Execution |
| CA-7 | Continuous Monitoring | Protects | T1204 | User Execution |
| CM-2 | Baseline Configuration | Protects | T1204 | User Execution |
| CM-6 | Configuration Settings | Protects | T1204 | User Execution |
| CM-7 | Least Functionality | Protects | T1204 | User Execution |
| SC-44 | Detonation Chambers | Protects | T1204 | User Execution |
| SC-7 | Boundary Protection | Protects | T1204 | User Execution |
| SI-10 | Information Input Validation | Protects | T1204 | User Execution |
| SI-2 | Flaw Remediation | Protects | T1204 | User Execution |
| SI-3 | Malicious Code Protection | Protects | T1204 | User Execution |
| SI-4 | System Monitoring | Protects | T1204 | User Execution |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1204 | User Execution |
| SI-8 | Spam Protection | Protects | T1204 | User Execution |
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1204.002 | Malicious File | 12 |
| T1204.003 | Malicious Image | 18 |
| T1204.001 | Malicious Link | 11 |