An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.
While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.
Adversaries may also deceive users into performing actions such as:
For example, tech support scams can be facilitated through Phishing, vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or Remote Access Software.(Citation: Telephone Attack Delivery)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
DE.AE-02.01 | Event analysis and detection | Mitigates | T1204 | User Execution |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1204 | User Execution |
Comments
In order to protect users from being victims of social engineering attacks, network intrusion prevention techniques can be used to scan and block malicious code from malicious downloads and malicious activity.
References
|
PR.PS-01.03 | Configuration deviation | Mitigates | T1204 | User Execution |
Comments
This diagnostic statement provides protection from User Execution through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to execute malicious unsigned code.
References
|
PR.PS-01.09 | Virtualized end point protection | Mitigates | T1204 | User Execution |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may use may use an existing VM leveraging a legitimate external Web service to exfiltrate data rather than their primary command and control channel. The use of hypervisor application control may detect and block this type of behavior from occurring.
References
|
DE.CM-01.05 | Website and service blocking | Mitigates | T1204 | User Execution |
Comments
This diagnostic statement protects user execution through the implementation of tools and measures to block unknown or unused files in transit.
References
|
PR.PS-01.09 | Virtualized end point protection | Mitigates | T1204 | User Execution |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may rely on a user running a malicious image to facilitate execution. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the virtualized instance or container. Mitigating controls such as execution prevention, NIPS, EDRs and behavior prevention on endpoints may provide mitigating mechanisms to prevent the running of executables coming from virtualized machines onto the host or network.
References
|
PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1204 | User Execution |
Comments
This diagnostic statement protects against User Execution through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
CA-07 | Continuous Monitoring | mitigates | T1204 | User Execution | |
CM-06 | Configuration Settings | mitigates | T1204 | User Execution | |
SC-44 | Detonation Chambers | mitigates | T1204 | User Execution | |
SI-08 | Spam Protection | mitigates | T1204 | User Execution | |
SI-02 | Flaw Remediation | mitigates | T1204 | User Execution | |
SI-10 | Information Input Validation | mitigates | T1204 | User Execution | |
SI-03 | Malicious Code Protection | mitigates | T1204 | User Execution | |
SI-07 | Software, Firmware, and Information Integrity | mitigates | T1204 | User Execution | |
CM-02 | Baseline Configuration | mitigates | T1204 | User Execution | |
CM-07 | Least Functionality | mitigates | T1204 | User Execution | |
SI-04 | System Monitoring | mitigates | T1204 | User Execution | |
AC-04 | Information Flow Enforcement | mitigates | T1204 | User Execution | |
SC-07 | Boundary Protection | mitigates | T1204 | User Execution |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.malware.variety.Other | Other | related-to | T1204 | User Execution | |
action.malware.variety.Downloader | Downloader (pull updates or other malware) | related-to | T1204 | User Execution | |
action.social.variety.Phishing | Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. | related-to | T1204 | User Execution | |
action.social.vector.Email | related-to | T1204 | User Execution | ||
action.social.vector.Social media | Social media or networking | related-to | T1204 | User Execution |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1204 | User Execution |
Comments
This control provides detection for one of the two sub-techniques of this technique, Malicious File, resulting in a Partial Coverage score and consequently an overall score of Partial.
References
|
azure_firewall | Azure Firewall | technique_scores | T1204 | User Execution |
Comments
This control provides partial protection for this technique.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | technique_scores | T1204 | User Execution |
Comments
This control can detect network traffic associated with this technique.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | technique_scores | T1204 | User Execution |
Comments
This control only provides meaningful detection for one of the technique's two sub-techniques, and the temporal factor is unknown, resulting in a score of Minimal.
References
|
defender_for_containers | Microsoft Defender for Containers | technique_scores | T1204 | User Execution |
Comments
This control can detect container behavior associated with this technique.
References
|
microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | technique_scores | T1204 | User Execution |
Comments
This control can protect against user execution.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
google_secops | Google Security Operations | technique_scores | T1204 | User Execution |
Comments
Google Security Ops is able to trigger an alert based on suspicious user activity (e.g., clicking on a malicious links).
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/proxy/microsoft_teams_phishing_email.yaral
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/detect_possible_execution_of_phishing_attachment.yaral
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
aws_config | AWS Config | technique_scores | T1204 | User Execution |
Comments
This control provides significant coverage for one of this technique's sub-techniques, resulting in an overall score of Minimal.
References
|
Technique ID | Technique Name | Number of Mappings |
---|---|---|
T1204.002 | Malicious File | 21 |
T1204.003 | Malicious Image | 31 |
T1204.001 | Malicious Link | 20 |