T1204 User Execution Mappings

An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.

While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-16 Security and Privacy Attributes Protects T1204 User Execution
AC-17 Remote Access Protects T1204 User Execution
AC-2 Account Management Protects T1204 User Execution
AC-21 Information Sharing Protects T1204 User Execution
AC-23 Data Mining Protection Protects T1204 User Execution
AC-3 Access Enforcement Protects T1204 User Execution
AC-4 Information Flow Enforcement Protects T1204 User Execution
AC-6 Least Privilege Protects T1204 User Execution
CA-7 Continuous Monitoring Protects T1204 User Execution
CM-2 Baseline Configuration Protects T1204 User Execution
CM-3 Configuration Change Control Protects T1204 User Execution
CM-5 Access Restrictions for Change Protects T1204 User Execution
CM-6 Configuration Settings Protects T1204 User Execution
CM-7 Least Functionality Protects T1204 User Execution
CM-8 System Component Inventory Protects T1204 User Execution
SC-28 Protection of Information at Rest Protects T1204 User Execution
SC-44 Detonation Chambers Protects T1204 User Execution
SC-7 Boundary Protection Protects T1204 User Execution
SI-10 Information Input Validation Protects T1204 User Execution
SI-2 Flaw Remediation Protects T1204 User Execution
SI-3 Malicious Code Protection Protects T1204 User Execution
SI-4 System Monitoring Protects T1204 User Execution
SI-7 Software, Firmware, and Information Integrity Protects T1204 User Execution
SI-8 Spam Protection Protects T1204 User Execution
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1204 User Execution
adaptive_application_controls Adaptive Application Controls technique_scores T1204 User Execution
azure_defender_for_app_service Azure Defender for App Service technique_scores T1204 User Execution
microsoft_antimalware_for_azure Microsoft Antimalware for Azure technique_scores T1204 User Execution

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1204.002 Malicious File 27
T1204.001 Malicious Link 24