Show in Graph
Common Information
Type Value
Value 
User Execution - T1204
Category Attack-Pattern
Type Mitre-Enterprise-Attack-Attack-Pattern
Misp Type Cluster
Description An adversary may rely upon specific actions by a user in order to gain execution. This may be direct code execution, such as when a user opens a malicious executable delivered via Spearphishing Attachment with the icon and apparent extension of a document file. It also may lead to other execution techniques, such as when a user clicks on a link delivered via Spearphishing Link that leads to exploitation of a browser or application vulnerability via Exploitation for Client Execution. While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. Detection: Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads. Anti-virus can potentially detect malicious documents and files that are downloaded and execuited on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as Exploitation for Client Execution and Scripting. Platforms: Linux, Windows, macOS Data Sources: Anti-virus, Process command-line parameters, Process monitoring Permissions Required: User
Details Published Attributes CTI Title
Details Website 2022-02-08 26 Ransomware Spotlight: LockBit - Security News
Details Website 2022-02-04 22 Emotet’s Uncommon Approach of Masking IP Addresses | McAfee Blog
Details Website 2022-02-01 96 SEO Poisoning to Distribute BATLOADER and Atera Agent
Details Website 2022-01-20 127 Middle East users targeted by Molerats APT | Zscaler Blog
Details Website 2022-01-19 85 One Source to Rule Them All: Chasing AVADDON Ransomware | Mandiant
Details Website 2022-01-18 158 DoNot Go! Do not respawn! | WeLiveSecurity
Details Website 2022-01-06 76 NOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies
Details Website 2021-12-20 51 Ransomware Spotlight: REvil - Security News
Details Website 2021-12-13 14 HANCITOR DOC drops via CLIPBOARD | McAfee Blog
Details Website 2021-12-02 95 SideCopy APT: Connecting lures to victims, payloads to infrastructure
Details Website 2021-11-18 50 Conti Ransomware | Qualys Security Blog
Details Website 2021-11-05 33 Spike in DanaBot Malware Activity | Zscaler
Details Website 2021-11-01 116 From Zero to Domain Admin
Details Website 2021-10-28 13 Quarterly Report: Incident Response trends from Q3 2021
Details Website 2021-10-18 498 Vulnerability Summary for the Week of October 11, 2021 | CISA
Details Website 2021-10-12 62 Going Coast to Coast - Climbing the Pyramid with the Deimos Implant
Details Website 2021-10-04 173 BazarLoader and the Conti Leaks
Details Website 2021-09-29 28 Zloader Campaigns at a Glance - Security News
Details Website 2021-08-31 3 Lacework 2021 Cloud Threat Report Vol. 2
Details Website 2021-08-03 75 APT31 new dropper. Target destinations: Mongolia, Russia, the U.S., and elsewhere
Details Website 2021-07-20 3 Fighting new Ransomware Techniques with McAfee’s Latest Innovations | McAfee Blog
Details Website 2021-07-19 75 Chinese State-Sponsored Cyber Operations: Observed TTPs | CISA
Details Website 2021-07-08 16 Hancitor Making Use of Cookies to Prevent URL Scraping | McAfee Blog
Details Website 2021-07-05 79 Kaseya, Sera. What REvil Shall Encrypt, Shall Encrypt
Details Website 2021-06-24 60 Demystifying the full attack chain of MineBridge RAT | Zscaler