Common Information
| Type | Value |
|---|---|
| Value |
User Execution - T1204 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | An adversary may rely upon specific actions by a user in order to gain execution. This may be direct code execution, such as when a user opens a malicious executable delivered via Spearphishing Attachment with the icon and apparent extension of a document file. It also may lead to other execution techniques, such as when a user clicks on a link delivered via Spearphishing Link that leads to exploitation of a browser or application vulnerability via Exploitation for Client Execution. While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. Detection: Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads. Anti-virus can potentially detect malicious documents and files that are downloaded and execuited on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as Exploitation for Client Execution and Scripting. Platforms: Linux, Windows, macOS Data Sources: Anti-virus, Process command-line parameters, Process monitoring Permissions Required: User |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2022-10-12 | 76 | Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike | ||
| Details | Website | 2022-10-12 | 77 | Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike | ||
| Details | Website | 2022-10-07 | 26 | Modified FiveM Spoofer Targeting Gamers | ||
| Details | Website | 2022-10-06 | 77 | Fake Ransomware Infection Under widespread | ||
| Details | Website | 2022-10-05 | 30 | Analysis of LilithBot Malware and Eternity Threat Group | Zscaler | ||
| Details | Website | 2022-09-29 | 68 | Russia/Ukraine Update - September 2022 | ||
| Details | Website | 2022-09-28 | 23 | New information stealer targeting crypto-wallets | ||
| Details | Website | 2022-09-27 | 1 | NullMixer Malware Detection: Hackers Spread a Dropper Using SEO to Deploy Multiple Trojans at Once - SOC Prime | ||
| Details | Website | 2022-09-27 | 21 | Anomali Cyber Watch: Sandworm Uses HTML Smuggling and Commodity RATs, BlackCat Ransomware Adds New Features, Domain Shadowing Is Rarely Detected, and More | ||
| Details | Website | 2022-09-26 | 197 | NullMixer drops Redline Stealer, SmokeLoader and other malware | ||
| Details | Website | 2022-09-26 | 410 | Demystifying Qbot Malware | ||
| Details | Website | 2022-09-23 | 44 | In the footsteps of the Fancy Bear: PowerPoint mouse-over event abused to deliver Graphite implants | ||
| Details | Website | 2022-09-17 | 33 | Fake Telegram site delivering RAT aimed at Chinese Users | ||
| Details | Website | 2022-09-15 | 41 | Erbium Stealer, a new Infostealer enters the scene | ||
| Details | Website | 2022-09-13 | 9 | Sorillus RAT Identified in Customer Environment | ||
| Details | Website | 2022-09-13 | 65 | MS-ISAC CYBERSECURITY ADVISORY - Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution | ||
| Details | Website | 2022-09-07 | 29 | Bumblebee Returns with New Infection Technique | ||
| Details | Website | 2022-08-30 | 34 | Anomali Cyber Watch: First Real-Life Video-Spoofing Attack, MagicWeb Backdoors via Non-Standard Key Identifier, LockBit Ransomware Blames Victim for DDoSing Back, and More | ||
| Details | Website | 2022-08-29 | 17 | Mini Stealer: Possible Predecessor of Parrot Stealer | ||
| Details | Website | 2022-08-25 | 66 | Russia/Ukraine Update - August 2022 | ||
| Details | Website | 2022-08-25 | 18 | Moisha Ransomware In Action | ||
| Details | Website | 2022-08-22 | 395 | Vulnerability Summary for the Week of August 15, 2022 | CISA | ||
| Details | Website | 2022-08-22 | 12 | Dissecting IBAN Clipper | ||
| Details | Website | 2022-08-18 | 0 | Hackers Using Bumblebee Loader to Compromise Active Directory Services | ||
| Details | Website | 2022-08-18 | 23 | BianLian: New Ransomware variant on the rise |