An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.
While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1204 | User Execution |
Comments
This control provides detection for one of the two sub-techniques of this technique, Malicious File, resulting in a Partial Coverage score and consequently an overall score of Partial.
References
|
| adaptive_application_controls | Adaptive Application Controls | technique_scores | T1204 | User Execution |
Comments
This control only provides detection for one of this technique's sub-techniques while not providing any detection capability for its other sub-technique, and therefore its coverage score is Partial, resulting in a Partial score.
References
|
| azure_defender_for_app_service | Azure Defender for App Service | technique_scores | T1204 | User Execution |
Comments
This control only provides meaningful detection for one of the technique's two sub-techniques, and the temporal factor is unknown, resulting in a score of Minimal.
References
|
| microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | technique_scores | T1204 | User Execution |
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1204.002 | Malicious File | 27 |
| T1204.001 | Malicious Link | 24 |