An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.
While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.
Adversaries may also deceive users into performing actions such as enabling Remote Access Software, allowing direct control of the system to the adversary, or downloading and executing malware for User Execution. For example, tech support scams can be facilitated through Phishing, vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or Remote Access Software.(Citation: Telephone Attack Delivery)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-4 | Information Flow Enforcement | Protects | T1204 | User Execution | |
| CA-7 | Continuous Monitoring | Protects | T1204 | User Execution | |
| CM-2 | Baseline Configuration | Protects | T1204 | User Execution | |
| CM-6 | Configuration Settings | Protects | T1204 | User Execution | |
| CM-7 | Least Functionality | Protects | T1204 | User Execution | |
| SC-44 | Detonation Chambers | Protects | T1204 | User Execution | |
| SC-7 | Boundary Protection | Protects | T1204 | User Execution | |
| SI-10 | Information Input Validation | Protects | T1204 | User Execution | |
| SI-2 | Flaw Remediation | Protects | T1204 | User Execution | |
| SI-3 | Malicious Code Protection | Protects | T1204 | User Execution | |
| SI-4 | System Monitoring | Protects | T1204 | User Execution | |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1204 | User Execution | |
| SI-8 | Spam Protection | Protects | T1204 | User Execution |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Downloader | Downloader (pull updates or other malware) | related-to | T1204 | User Execution | |
| action.malware.variety.Unknown | Unknown | related-to | T1204 | User Execution | |
| action.social.variety.Phishing | Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. | related-to | T1204 | User Execution | |
| action.social.vector.Email | related-to | T1204 | User Execution | ||
| action.social.vector.Social media | Social media or networking | related-to | T1204 | User Execution |
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1204.002 | Malicious File | 18 |
| T1204.003 | Malicious Image | 25 |
| T1204.001 | Malicious Link | 17 |