Common Information
| Type | Value |
|---|---|
| Value |
User Execution - T1204 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | An adversary may rely upon specific actions by a user in order to gain execution. This may be direct code execution, such as when a user opens a malicious executable delivered via Spearphishing Attachment with the icon and apparent extension of a document file. It also may lead to other execution techniques, such as when a user clicks on a link delivered via Spearphishing Link that leads to exploitation of a browser or application vulnerability via Exploitation for Client Execution. While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. Detection: Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads. Anti-virus can potentially detect malicious documents and files that are downloaded and execuited on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as Exploitation for Client Execution and Scripting. Platforms: Linux, Windows, macOS Data Sources: Anti-virus, Process command-line parameters, Process monitoring Permissions Required: User |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2022-07-06 | 14 | LockBit 3.0: "Making the ransomware great again" - Cluster25 | ||
| Details | Website | 2022-07-06 | 33 | Multiple Vulnerabilities in Google Android OS Could Allow for Arbitrary Code Execution | ||
| Details | Website | 2022-06-30 | 69 | BRIEF: Raccoon Stealer Version 2.0 | ||
| Details | Website | 2022-06-30 | 65 | UNKNOWN | ||
| Details | Website | 2022-06-30 | 68 | PennyWise Stealer: An Evasive Infostealer leveraging YouTube to infect users | ||
| Details | Website | 2022-06-29 | 18 | Multiple Vulnerabilities in Mozilla Products Could Allow for Arbitrary Code Execution | ||
| Details | Website | 2022-06-22 | 15 | Quantum Software: LNK file-based builders growing in popularity | ||
| Details | Website | 2022-06-15 | 47 | Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution | ||
| Details | Website | 2022-06-09 | 281 | Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years | ||
| Details | Website | 2022-06-08 | 60 | Going Coast to Coast - Climbing the Pyramid with the Deimos Implant — Elastic Security Labs | ||
| Details | Website | 2022-06-02 | 48 | TAU Threat Analysis: Bundlore (macOS) mm-install-macos | ||
| Details | Website | 2022-05-25 | 25 | Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution | ||
| Details | Website | 2022-05-20 | 14 | Malware Campaign Targets InfoSec Community: Threat Actor Uses Fake Proof of Concept to Deliver Cobalt-Strike Beacon | ||
| Details | Website | 2022-05-09 | 96 | SEO Poisoning – A Gootloader Story | ||
| Details | Website | 2022-05-08 | 57 | Ursnif Malware Banks on News Events for Phishing Attacks | Qualys Security Blog | ||
| Details | Website | 2022-05-03 | 36 | Multiple Vulnerabilities in Google Android OS Could Allow for Escalation of Privilege | ||
| Details | Website | 2022-04-26 | 27 | Quarterly Report: Incident Response trends in Q1 2022 | ||
| Details | Website | 2022-04-25 | 104 | Quantum Ransomware | ||
| Details | Website | 2022-03-25 | 121 | Mustang Panda’s Hodur : Vieux trucs, nouvelle variante de Korplug | WeLiveSecurity | ||
| Details | Website | 2022-03-18 | 30 | Ransomware Spotlight: Hive - Security News | ||
| Details | Website | 2022-03-15 | 28 | Decoding a DanaBot Downloader | ||
| Details | Website | 2022-03-07 | 128 | Fake Purchase Order Used to Deliver Agent Tesla | FortiGuard Labs | ||
| Details | Website | 2022-03-06 | 21 | AvosLocker Ransomware Behavior Examined on Windows & Linux | Qualys Security Blog | ||
| Details | Website | 2022-02-24 | 123 | Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks | CISA | ||
| Details | Website | 2022-02-22 | 37 | Ransomware Spotlight: Clop - Security News |