Common Information
| Type | Value |
|---|---|
| Value |
User Execution - T1204 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | An adversary may rely upon specific actions by a user in order to gain execution. This may be direct code execution, such as when a user opens a malicious executable delivered via Spearphishing Attachment with the icon and apparent extension of a document file. It also may lead to other execution techniques, such as when a user clicks on a link delivered via Spearphishing Link that leads to exploitation of a browser or application vulnerability via Exploitation for Client Execution. While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. Detection: Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads. Anti-virus can potentially detect malicious documents and files that are downloaded and execuited on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as Exploitation for Client Execution and Scripting. Platforms: Linux, Windows, macOS Data Sources: Anti-virus, Process command-line parameters, Process monitoring Permissions Required: User |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2022-12-08 | 51 | Mallox Ransomware showing signs of Increased Activity | ||
| Details | Website | 2022-12-06 | 10 | Anomali Cyber Watch: Infected Websites Show Different Headers Depending on Search Engine Fingerprinting, 10 Android Platform Certificates Abused in the Wild, Phishing Group Impersonated Major UAE Oil | ||
| Details | Website | 2022-12-01 | 43 | Three Cases of Cyber Attacks on the Security Service of Ukraine and NATO Allies, Likely by Russian State-Sponsored Gamaredon | ||
| Details | Website | 2022-12-01 | 47 | DuckLogs - New Malware Strain Spotted In The Wild | ||
| Details | Website | 2022-11-30 | 34 | Redline Stealer being Distributed via Fake Express VPN Sites | ||
| Details | Website | 2022-11-29 | 132 | Russia/Ukraine Update - November 2022 | ||
| Details | Website | 2022-11-25 | 4 | BatLoader Malware Detection: Evasive Downloader on the Rise - SOC Prime | ||
| Details | Website | 2022-11-25 | 25 | Punisher Ransomware Spreading Through Fake COVID Site | ||
| Details | Website | 2022-11-22 | 3 | Earth Preta aka Mustang Panda Attack Detection: Abused Fake Google Accounts in Spear-Phishing Campaigns Targeting Governments Worldwide - SOC Prime | ||
| Details | Website | 2022-11-18 | 42 | AXLocker, Octocrypt, and Alice: Leading a new wave of Ransomware Campaigns | ||
| Details | Website | 2022-11-16 | 335 | HZ RAT goes China | ||
| Details | Website | 2022-11-16 | 21 | Pilfered Keys Free App Infected by Malware Steals Keychain Data | ||
| Details | Website | 2022-11-16 | 20 | Pilfered Keys Free App Infected by Malware Steals Keychain Data | ||
| Details | Website | 2022-11-12 | 4 | Understanding Privilege Escalation by Abusing Linux Access Control | ||
| Details | Website | 2022-11-09 | 67 | Emotet returns Targeting Users Worldwide | ||
| Details | Website | 2022-11-02 | 222 | New Laplas Clipper Distributed via SmokeLoader | ||
| Details | Website | 2022-10-31 | 85 | Orion Threat Alert: Qakbot TTPs Arsenal and the Black Basta Ransomware - Cynet | ||
| Details | Website | 2022-10-18 | 31 | Unmasking VENOM SPIDER | ||
| Details | Website | 2022-10-18 | 104 | LAZARUS greift die Niederlande und Belgien an | ||
| Details | Website | 2022-10-17 | 75 | Advanced Persistent Threat (APT) Groups: Boogeyman or Well-Funded Cybercriminal? | ||
| Details | Website | 2022-10-17 | 853 | Vulnerability Summary for the Week of October 10, 2022 | CISA | ||
| Details | Website | 2022-10-14 | 86 | FIN11 is Back : Impersonates Popular Video Conference Application - CYFIRMA | ||
| Details | Website | 2022-10-14 | 39 | Online File Converter Phishing Page Spreads RedLine Stealer | ||
| Details | Website | 2022-10-13 | 35 | Mitsu Stealer distributed via AnyDesk Phishing Site | ||
| Details | Website | 2022-10-12 | 24 | Anomali Cyber Watch: Emotet Added Two New Modules, LofyGang Distributed 200 Malicious Packages, Bumblebee Loader Expanded Its Reach, and More |