1. Home
  2. ATT&CK Techniques
  3. T1204 User Execution

T1204 User Execution Mappings

An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.

While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-4 Information Flow Enforcement Protects T1204 User Execution
CA-7 Continuous Monitoring Protects T1204 User Execution
CM-2 Baseline Configuration Protects T1204 User Execution
CM-6 Configuration Settings Protects T1204 User Execution
CM-7 Least Functionality Protects T1204 User Execution
SC-44 Detonation Chambers Protects T1204 User Execution
SC-7 Boundary Protection Protects T1204 User Execution
SI-10 Information Input Validation Protects T1204 User Execution
SI-2 Flaw Remediation Protects T1204 User Execution
SI-3 Malicious Code Protection Protects T1204 User Execution
SI-4 System Monitoring Protects T1204 User Execution
SI-7 Software, Firmware, and Information Integrity Protects T1204 User Execution
SI-8 Spam Protection Protects T1204 User Execution
CVE-2017-14487 n/a uncategorized T1204 User Execution
action.malware.variety.Unknown Unknown related-to T1204 User Execution
action.social.variety.Phishing Phishing (or any type of *ishing) related-to T1204 User Execution
aws_config AWS Config technique_scores T1204 User Execution

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1204.002 Malicious File 83
T1204.003 Malicious Image 23
T1204.001 Malicious Link 42