An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.
While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.
Adversaries may also deceive users into performing actions such as:
For example, tech support scams can be facilitated through Phishing, vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or Remote Access Software.(Citation: Telephone Attack Delivery)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
DE.AE-02.01 | Event analysis and detection | Mitigates | T1204 | User Execution |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1204 | User Execution |
Comments
In order to protect users from being victims of social engineering attacks, network intrusion prevention techniques can be used to scan and block malicious code from malicious downloads and malicious activity.
References
|
PR.PS-01.03 | Configuration deviation | Mitigates | T1204 | User Execution |
Comments
This diagnostic statement provides protection from User Execution through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to execute malicious unsigned code.
References
|
DE.CM-01.05 | Website and service blocking | Mitigates | T1204 | User Execution |
Comments
This diagnostic statement protects user execution through the implementation of tools and measures to block unknown or unused files in transit.
References
|
PR.PS-01.09 | Virtualized end point protection | Mitigates | T1204 | User Execution |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may rely on a user running a malicious image to facilitate execution. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the virtualized instance or container. Mitigating controls such as execution prevention, NIPS, EDRs and behavior prevention on endpoints may provide mitigating mechanisms to prevent the running of executables coming from virtualized machines onto the host or network.
References
|
PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1204 | User Execution |
Comments
This diagnostic statement protects against User Execution through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
CA-07 | Continuous Monitoring | mitigates | T1204 | User Execution | |
CM-06 | Configuration Settings | mitigates | T1204 | User Execution | |
SC-44 | Detonation Chambers | mitigates | T1204 | User Execution | |
SI-08 | Spam Protection | mitigates | T1204 | User Execution | |
SI-02 | Flaw Remediation | mitigates | T1204 | User Execution | |
SI-10 | Information Input Validation | mitigates | T1204 | User Execution | |
SI-03 | Malicious Code Protection | mitigates | T1204 | User Execution | |
SI-07 | Software, Firmware, and Information Integrity | mitigates | T1204 | User Execution | |
CM-02 | Baseline Configuration | mitigates | T1204 | User Execution | |
CM-07 | Least Functionality | mitigates | T1204 | User Execution | |
SI-04 | System Monitoring | mitigates | T1204 | User Execution | |
AC-04 | Information Flow Enforcement | mitigates | T1204 | User Execution | |
SC-07 | Boundary Protection | mitigates | T1204 | User Execution |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.malware.variety.Other | Other | related-to | T1204 | User Execution | |
action.malware.variety.Downloader | Downloader (pull updates or other malware) | related-to | T1204 | User Execution | |
action.social.variety.Phishing | Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. | related-to | T1204 | User Execution | |
action.social.vector.Email | related-to | T1204 | User Execution | ||
action.social.vector.Social media | Social media or networking | related-to | T1204 | User Execution |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1204 | User Execution |
Comments
This control provides detection for one of the two sub-techniques of this technique, Malicious File, resulting in a Partial Coverage score and consequently an overall score of Partial.
References
|
azure_firewall | Azure Firewall | technique_scores | T1204 | User Execution |
Comments
This control provides partial protection for this technique.
References
|
azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | technique_scores | T1204 | User Execution |
Comments
This control can detect network traffic associated with this technique.
References
|
defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | technique_scores | T1204 | User Execution |
Comments
This control only provides meaningful detection for one of the technique's two sub-techniques, and the temporal factor is unknown, resulting in a score of Minimal.
References
|
defender_for_containers | Microsoft Defender for Containers | technique_scores | T1204 | User Execution |
Comments
This control can detect container behavior associated with this technique.
References
|
microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | technique_scores | T1204 | User Execution |
Comments
This control can protect against user execution.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
google_secops | Google Security Operations | technique_scores | T1204 | User Execution |
Comments
Google Security Ops is able to trigger an alert based on suspicious user activity (e.g., clicking on a malicious links).
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/proxy/microsoft_teams_phishing_email.yaral
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/detect_possible_execution_of_phishing_attachment.yaral
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
aws_config | AWS Config | technique_scores | T1204 | User Execution |
Comments
This control provides significant coverage for one of this technique's sub-techniques, resulting in an overall score of Minimal.
References
|
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
DEF-SSCO-E3 | Secure Score | Technique Scores | T1204 | User Execution |
Comments
Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.
Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.
To help you find the information you need more quickly, Microsoft recommended actions are organized into groups:
Identity (Microsoft Entra accounts & roles)
Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)
Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)
Data (through Microsoft Information Protection)
References
|
EOP-AMW-E3 | Antimalware | Technique Scores | T1204 | User Execution |
Comments
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are:
Viruses that infect other programs and data, and spread through your computer or network looking for programs to infect.
Spyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.
Ransomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect the malware payload that's associated with the ransomware.
EOP offers multi-layered malware protection that's designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection:
Layered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.
Real-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.
Fast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.
License Requirements: M365 E3 or Microsoft Defender for Office plan 1.
References
|
DEF-QUAR-E3 | Quarantine Policies | Technique Scores | T1204 | User Execution |
Comments
In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.
Traditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.
The following M365 features are supported by quarantine policies, “Response” to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
License requirements: M365 E3 (or Defender for Office plan 1)
References
|
DEF-ZHAP-E3 | Zero Hour Auto Purge | Technique Scores | T1204 | User Execution |
Comments
Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.
License Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security.
References
|
DEF-AACI-E3 | Adaptive Application Control Integration | Technique Scores | T1204 | User Execution |
Comments
This control only provides detection for one of this technique's sub-techniques while not providing any detection capability for its other sub-technique, and therefore its coverage score is Partial, resulting in a Partial score.
References
|
DEF-AACI-E3 | Adaptive Application Control Integration | Technique Scores | T1204 | User Execution |
Comments
This control only provides detection for one of this technique's sub-techniques while not providing any detection capability for its other sub-technique, and therefore its coverage score is Partial, resulting in a Partial score.
References
|
DEF-SATT-E3 | Safe Attachments | Technique Scores | T1204 | User Execution |
Comments
M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm.
License requirements:
Mirosoft 365 E5, Defender for Office Plan 1, Microsoft 365 E3 with ATP add-on
References
|
DEF-SATT-E3 | Safe Attachments | Technique Scores | T1204 | User Execution |
Comments
M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm.
License requirements:
Mirosoft 365 E5, Defender for Office Plan 1, Microsoft 365 E3 with ATP add-on
References
|
DEF-SIMT-E5 | ATT&CK Simulation Training | Technique Scores | T1204 | User Execution |
Comments
M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule. This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities.
The following social engineering techniques are available:
Credential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.
Malware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.
Link in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.
Link to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.
Drive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.
OAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.
License Requirements:
Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2.
References
|
DEF-SIMT-E5 | ATT&CK Simulation Training | Technique Scores | T1204 | User Execution |
Comments
M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule. This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities.
The following social engineering techniques are available:
Credential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.
Malware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.
Link in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.
Link to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.
Drive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.
OAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.
License Requirements:
Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2.
References
|
DEF-PSP-E3 | Preset Security Policies | Technique Scores | T1204 | User Execution |
Comments
M365 Preset security policies allow you to apply protection features to users based on Microsoft's recommended settings. Unlike custom policies that are infinitely configurable, virtually all of the settings in preset security policies aren't configurable, and are based on observations in Microsoft's datacenters. The settings in preset security policies provide a balance between keeping harmful content away from users while avoiding unnecessary disruptions.
Preset Security Policies Detects User Execution attacks due to all recipients in the organization receiving Safe Links and Safe Attachments with the Built-in protection profile by default. Safe Links immediately checking the URL's before opening the websites. You can add entries to the existing policies or configure different lists in different Safe Links policies to determine if certain websites are necessary for business operations. If the URL points to a website that has been identified as a phishing attack, a Phishing attempt warning page will open.
License Requirements:
Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR
References
|
DEF-SLNK-E3 | Safe Links | Technique Scores | T1204 | User Execution |
Comments
Microsoft Defender for O365 Safe Links scanning protects your organization from malicious links that are used in phishing and other attacks. Safe Links provides URL scanning and rewriting of inbound email messages during mail flow, and time-of-click verification of URLs and links in email messages, Teams, and supported Office 365 apps.
Safe Links Detects User Execution attacks due to Safe Links immediately checking the URL's before opening the websites. If the URL points to a website that has been determined to be malicious, a malicious website warning page opens.
License Requirements:
Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR
References
|
Technique ID | Technique Name | Number of Mappings |
---|---|---|
T1204.002 | Malicious File | 31 |
T1204.003 | Malicious Image | 33 |
T1204.001 | Malicious Link | 27 |