User Execution (T1204)
Tactic: Execution · Platforms: Linux, Windows, macOS, IaaS, Containers
The interactive view maps 1 detection strategy, 6 mitigations, 2 threat groups, 2 software entries, 1 campaign to this technique, alongside D3FEND countermeasures and data-component coverage.
Overview
An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.
While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.
Adversaries may also deceive users into performing actions such as:
* Enabling Remote Access Tools, allowing direct control of the system to the adversary * Running malicious JavaScript in their browser, allowing adversaries to Steal Web Session Cookies * Downloading and executing malware for User Execution * Coerceing users to copy, paste, and execute malicious code manually
For example, tech support scams can be facilitated through Phishing, vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or Remote Access Tools.
Sub-techniques
- Malicious Link (T1204.001)
- Malicious File (T1204.002)
- Malicious Image (T1204.003)
- Malicious Copy and Paste (T1204.004)
- Malicious Library (T1204.005)