Common Information
| Type | Value |
|---|---|
| Value |
User Execution - T1204 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | An adversary may rely upon specific actions by a user in order to gain execution. This may be direct code execution, such as when a user opens a malicious executable delivered via Spearphishing Attachment with the icon and apparent extension of a document file. It also may lead to other execution techniques, such as when a user clicks on a link delivered via Spearphishing Link that leads to exploitation of a browser or application vulnerability via Exploitation for Client Execution. While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. Detection: Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads. Anti-virus can potentially detect malicious documents and files that are downloaded and execuited on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as Exploitation for Client Execution and Scripting. Platforms: Linux, Windows, macOS Data Sources: Anti-virus, Process command-line parameters, Process monitoring Permissions Required: User |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2023-03-14 | 3 | Don’t Take the Bait: How to Spot and Avoid Phishing Attacks | ||
| Details | Website | 2023-03-14 | 36 | Anomali Cyber Watch: Xenomorph Automates The Whole Fraud Chain on Android, IceFire Ransomware Started Targeting Linux, Mythic Leopard Delivers Spyware Using Romance Scam | ||
| Details | Website | 2023-03-09 | 38 | DUCKTAIL: Threat Operation Re-emerges with New LNK, PowerShell, and Other Custom Tactics to Avoid Detection | Deep Instinct | ||
| Details | Website | 2023-03-09 | 16 | BlackSnake Ransomware Emerges from Chaos Ransomware's Shadow | ||
| Details | Website | 2023-03-06 | 4 | MQsTTang Backdoor Detection: New Custom Malware by Mustang Panda APT Actively Used in the Latest Campaign Against Government Entities - SOC Prime | ||
| Details | Website | 2023-03-06 | 671 | Vulnerability Summary for the Week of February 27, 2023 | CISA | ||
| Details | Website | 2023-03-02 | 199 | Russia/Ukraine Update - February 2023 | ||
| Details | Website | 2023-03-01 | 16 | MITRE ATT&CK and D3FEND for Cloud and Containers – Sysdig | ||
| Details | Website | 2023-03-01 | 70 | Multi-Year Spearphishing Campaign Targets the Maritime Industry Likely for Financial Gain | ||
| Details | Website | 2023-02-28 | 44 | CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks | CISA | ||
| Details | Website | 2023-02-28 | 0 | Hackers Attack Employees from Six Law Firms with the GootLoader and… | ||
| Details | Website | 2023-02-28 | 16 | Aligning Falco’s Cloudtrail Rules with MITRE ATT&CK – Sysdig | ||
| Details | Website | 2023-02-28 | 56 | Anomali Cyber Watch: Newly-Discovered WinorDLL64 Backdoor Has Code Similarities with Lazarus GhostSecret, Atharvan Backdoor Can Be Restricted to Communicate on Certain Days | ||
| Details | Website | 2023-02-27 | 76 | Lumma Stealer targets YouTubers via Spear-phishing Email | ||
| Details | Website | 2023-02-24 | 41 | New WhiteSnake Stealer Offered for Sale Via MaaS Model | ||
| Details | Website | 2023-02-23 | 27 | Mustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware | ||
| Details | Website | 2023-02-20 | 31 | Decoding the Inner Workings of DarkCloud Stealer | ||
| Details | Website | 2023-02-17 | 4 | ProxyShellMiner Detection: Novel Crypto-Mining Attacks Abusing CVE-2021-34473 and CVE-2021-34523 ProxyShell Vulnerabilities in Windows Exchange Servers - SOC Prime | ||
| Details | Website | 2023-02-17 | 49 | The Many Faces of Qakbot Malware: A Look at Its Diverse Distribution Methods | ||
| Details | Website | 2023-02-15 | 8 | Uncovering The Dark Side of DarkBit Ransomware | ||
| Details | Website | 2023-02-08 | 21 | Earth Zhulong Familiar Patterns Target Southeast Asian Firms | ||
| Details | Website | 2023-02-06 | 19 | Massive Ransomware Attack Targets VMware ESXi Servers | ||
| Details | Website | 2023-02-02 | 37 | New BATLoader Disseminates RATs and Stealers | ||
| Details | Website | 2023-02-01 | 23 | Qakbot's Evolution Continues with New Strategies | ||
| Details | Website | 2023-02-01 | 37 | Vector Stealer: A Gateway for RDP Hijacking |