Show in Graph
Common Information
Type Value
Value 
User Execution - T1204
Category Attack-Pattern
Type Mitre-Enterprise-Attack-Attack-Pattern
Misp Type Cluster
Description An adversary may rely upon specific actions by a user in order to gain execution. This may be direct code execution, such as when a user opens a malicious executable delivered via Spearphishing Attachment with the icon and apparent extension of a document file. It also may lead to other execution techniques, such as when a user clicks on a link delivered via Spearphishing Link that leads to exploitation of a browser or application vulnerability via Exploitation for Client Execution. While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. Detection: Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads. Anti-virus can potentially detect malicious documents and files that are downloaded and execuited on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as Exploitation for Client Execution and Scripting. Platforms: Linux, Windows, macOS Data Sources: Anti-virus, Process command-line parameters, Process monitoring Permissions Required: User
Details Published Attributes CTI Title
Details Website 2021-06-22 6 NukeSped Copies Fileless Code From Bundlore, Leaves It Unused
Details Website 2021-06-22 5 NukeSped Copies Fileless Code From Bundlore, Leaves It Unused
Details Website 2021-06-16 87 Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise | Mandiant
Details Website 2021-06-15 126 Andariel evolves to target South Korea with ransomware
Details Website 2021-06-15 86 Ransomware Double Extortion and Beyond: REvil, Clop, and Conti - Security News
Details Website 2021-05-27 39 New sophisticated email-based attack from NOBELIUM - Microsoft Security Blog
Details Website 2021-05-25 21 Taking TeamTNT’s Docker Images Offline - Lacework
Details Website 2021-05-17 14 Case Study: Incident Response is a relationship-driven business
Details Website 2021-05-04 133 The UNC2529 Triple Double: A Trifecta Phishing Campaign | Mandiant
Details Website 2021-04-20 4 The Storybook Approach to MITRE ATT&CK
Details Website 2021-04-20 1 Carbanak and FIN7 Attack Techniques
Details Website 2021-04-20 1 Carbanak and FIN7 Attack Techniques
Details Website 2021-04-06 71 McAfee Defender’s Blog: Cuba Ransomware Campaign | McAfee Blog
Details Website 2021-04-06 93 Janeleiro, the time traveler: A new old banking trojan in Brazil | WeLiveSecurity
Details Website 2021-03-31 78 Bahamut Possibly Responsible for Multi-Stage Infection Chain Campaign
Details Website 2021-03-24 18 Quarterly Report: Incident Response trends from Winter 2020-21
Details Website 2021-03-23 71 Multistage low-volume attack using AzureEdge and Shopify CDN
Details Website 2021-03-16 92 日本の製造業を狙うTickグループ - セキュリティ事業 - マクニカ
Details Website 2021-03-09 24 Gootloader Malware Threat Intel Advisory | Threat Intelligence | CloudSEK
Details Website 2021-03-08 0 McAfee ATR Thinks in Graphs | McAfee Blog
Details Website 2021-03-05 82 Earth Vetala MuddyWater Continues to Target Organizations in the Middle East
Details Website 2021-02-25 161 Lazarus targets defense industry with ThreatNeedle
Details Website 2021-02-25 190 So Unchill: Melting UNC2198 ICEDID to Ransomware Operations | Mandiant
Details Website 2021-02-09 83 Malware Distribution Uses Discord CDN | Zscaler Blog
Details Website 2021-02-02 17 Finding and Decoding Multi-Step Obfuscated Malware