An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.
While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.
Adversaries may also deceive users into performing actions such as enabling Remote Access Software, allowing direct control of the system to the adversary; running malicious JavaScript in their browser, allowing adversaries to Steal Web Session Cookies; or downloading and executing malware for User Execution.(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
For example, tech support scams can be facilitated through Phishing, vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or Remote Access Software.(Citation: Telephone Attack Delivery)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1204 | User Execution |
Comments
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection and protection of User Execution attacks. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact.
User Execution attacks typically involve adversaries tricking or coercing users into executing malicious payloads, often through social engineering techniques such as phishing emails, malicious attachments, or misleading links. Once the user unknowingly runs the malicious file or code, it can lead to a wide range of attacks, including malware installation, system compromise, or data exfiltration. Intel TDT plays a critical role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, enabling rapid detection of suspicious user-triggered behaviors, such as unauthorized applications being launched or malicious scripts executed.
Additionally, CAMS offloads the memory scanning workload from the CPU to the Intel Integrated GPU, enabling faster and more efficient detection of malicious activities without impacting system performance. CAMS helps identify suspicious behaviors, such as unauthorized execution of programs or code that may indicate user execution-based exploitation attempts, providing proactive defense against this common attack vector.
References
|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1204 | User Execution |
Comments
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of User Execution attacks. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact.
User Execution attacks typically involve adversaries tricking or coercing users into executing malicious payloads, often through social engineering techniques such as phishing emails, malicious attachments, or misleading links. Once the user unknowingly runs the malicious file or code, it can lead to a wide range of attacks, including malware installation, system compromise, or data exfiltration. Intel TDT plays a critical role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, enabling rapid detection of suspicious user-triggered behaviors, such as unauthorized applications being launched or malicious scripts executed.
Additionally, CAMS offloads the memory scanning workload from the CPU to the Intel Integrated GPU, enabling faster and more efficient detection of malicious activities without impacting system performance. CAMS helps identify suspicious behaviors, such as unauthorized execution of programs or code that may indicate user execution-based exploitation attempts, providing proactive defense against this common attack vector.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1204.002 | Malicious File | 4 |