T1204 User Execution Mappings

An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.

While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.

Adversaries may also deceive users into performing actions such as enabling Remote Access Software, allowing direct control of the system to the adversary, or downloading and executing malware for User Execution. For example, tech support scams can be facilitated through Phishing, vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or Remote Access Software.(Citation: Telephone Attack Delivery)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-04 Information Flow Enforcement Protects T1204 User Execution
CA-07 Continuous Monitoring Protects T1204 User Execution
CM-02 Baseline Configuration Protects T1204 User Execution
CM-06 Configuration Settings Protects T1204 User Execution
CM-07 Least Functionality Protects T1204 User Execution
SC-44 Detonation Chambers Protects T1204 User Execution
SC-07 Boundary Protection Protects T1204 User Execution
SI-10 Information Input Validation Protects T1204 User Execution
SI-02 Flaw Remediation Protects T1204 User Execution
SI-03 Malicious Code Protection Protects T1204 User Execution
SI-04 System Monitoring Protects T1204 User Execution
SI-07 Software, Firmware, and Information Integrity Protects T1204 User Execution
SI-08 Spam Protection Protects T1204 User Execution
EOP-Antimalware-E3 Antimalware Technique Scores T1204 User Execution
M365-DEF-ZAP-E3 Zero Hour Auto Purge Technique Scores T1204 User Execution
DEF-SecScore-E3 Secure Score Technique Scores T1204 User Execution
DO365-SL-E3 Safe Links Technique Scores T1204 User Execution
DEF-SA-E3 Safe Attachments Technique Scores T1204 User Execution
DEF-SA-E3 Safe Attachments Technique Scores T1204 User Execution
DEF-Quarantine-E3 Quarantine Policies Technique Scores T1204 User Execution
DO365-PSP-E3 Preset Security Policies Technique Scores T1204 User Execution
DEF-SIM-E5 ATT&CK Simulation Training Technique Scores T1204 User Execution
DEF-SIM-E5 ATT&CK Simulation Training Technique Scores T1204 User Execution

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1204.002 Malicious File 21
T1204.003 Malicious Image 18
T1204.001 Malicious Link 19