Show in Graph
Common Information
Type Value
Value 
User Execution - T1204
Category Attack-Pattern
Type Mitre-Enterprise-Attack-Attack-Pattern
Misp Type Cluster
Description An adversary may rely upon specific actions by a user in order to gain execution. This may be direct code execution, such as when a user opens a malicious executable delivered via Spearphishing Attachment with the icon and apparent extension of a document file. It also may lead to other execution techniques, such as when a user clicks on a link delivered via Spearphishing Link that leads to exploitation of a browser or application vulnerability via Exploitation for Client Execution. While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. Detection: Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads. Anti-virus can potentially detect malicious documents and files that are downloaded and execuited on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as Exploitation for Client Execution and Scripting. Platforms: Linux, Windows, macOS Data Sources: Anti-virus, Process command-line parameters, Process monitoring Permissions Required: User
Details Published Attributes CTI Title
Details Website 2021-02-02 18 Finding and Decoding Multi-Step Obfuscated Malware
Details Website 2021-01-21 43 Vadokrist: A wolf in sheep’s clothing | WeLiveSecurity
Details Website 2021-01-14 663 Higaisa or Winnti? APT41 backdoors, old and new
Details Website 2021-01-12 70 Operation Spalax: Targeted malware attacks in Colombia | WeLiveSecurity
Details Website 2021-01-11 98 Trickbot Still Alive and Well
Details Website 2021-01-06 21 ReconHellcat Uses NIST Theme as Lure To Deliver New BlackSoul Malware
Details Website 2020-12-15 74 QakBot reducing its on disk artifacts - Hornetsecurity
Details Website 2020-12-14 220 Carbanak/ FIN7 Crime Gang Threat Intel Advisory | Threat Intelligence | CloudSEK
Details Website 2020-12-03 37 Persist, Brick, Profit -TrickBot Offers New “TrickBoot” UEFI-Focused Functionality
Details Website 2020-12-02 100 IcedID Stealer Man-in-the-browser Banking Trojan
Details Website 2020-11-19 3 Evolution of Emotet: From Banking Trojan to Malware Distributor
Details Website 2020-11-05 60 Attacks on industrial enterprises using RMS and TeamViewer: new data
Details Website 2020-10-27 61 APT-31 Leverages COVID-19 Vaccine Theme | Zscaler Blog
Details Website 2020-10-24 31 Emotet Malware | CISA
Details Website 2020-10-12 47 ESET takes part in global operation to disrupt Trickbot | WeLiveSecurity
Details Website 2020-10-01 85 Potential for China Cyber Response to Heightened U.S.–China Tensions | CISA
Details Website 2020-09-29 198 Oil and Gas Industries in Middle East Targeted | blog
Details Website 2020-09-23 26 Your best defense against ransomware: Find the early warning signs - Help Net Security
Details Website 2020-09-22 21 LokiBot Malware | CISA
Details Website 2020-09-08 305 ShadowPad: новая активность группировки Winnti
Details Website 2020-09-02 63 KryptoCibule: The multitasking multicurrency cryptostealer | WeLiveSecurity
Details Website 2020-09-01 32 Epic Manchego – atypical maldoc delivery brings flurry of infostealers
Details Website 2020-07-30 18 McAfee Defender’s Blog: Operation North Star Campaign | McAfee Blog
Details Website 2020-07-20 85 GOLDEN CHICKENS: Evolution of the MaaS
Details Website 2020-07-16 76 Mac cryptocurrency trading application rebranded, bundled with malware | WeLiveSecurity