Common Information
| Type | Value |
|---|---|
| Value |
User Execution - T1204 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | An adversary may rely upon specific actions by a user in order to gain execution. This may be direct code execution, such as when a user opens a malicious executable delivered via Spearphishing Attachment with the icon and apparent extension of a document file. It also may lead to other execution techniques, such as when a user clicks on a link delivered via Spearphishing Link that leads to exploitation of a browser or application vulnerability via Exploitation for Client Execution. While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. Detection: Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads. Anti-virus can potentially detect malicious documents and files that are downloaded and execuited on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as Exploitation for Client Execution and Scripting. Platforms: Linux, Windows, macOS Data Sources: Anti-virus, Process command-line parameters, Process monitoring Permissions Required: User |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2023-07-20 | 59 | Common TTPs of attacks against industrial organizations. Implants for remote access | Kaspersky ICS CERT | ||
| Details | Website | 2023-07-18 | 1031 | US-CERT Vulnerability Summary for the Week of July 10, 2023 - RedPacket Security | ||
| Details | Website | 2023-07-17 | 1031 | Vulnerability Summary for the Week of July 10, 2023 | CISA | ||
| Details | Website | 2023-07-13 | 25 | Trojanized Application Preying on TeamViewer Users | ||
| Details | Website | 2023-07-12 | 13 | Unraveling the Illusion of Trust: The Innovative Attack Methodology Leveraging the "search-ms" URI Protocol Handler | ||
| Details | Website | 2023-07-06 | 239 | Increased Truebot Activity Infects U.S. and Canada Based Networks | CISA | ||
| Details | Website | 2023-07-06 | 69 | ARCrypt Ransomware Evolves with Multiple TOR Communication Channels | ||
| Details | Website | 2023-07-05 | 15 | Underground Team Ransomware Demands Nearly $3 Million | ||
| Details | Website | 2023-06-28 | 8 | Akira Ransomware Extends Reach to Linux Platform | ||
| Details | Website | 2023-06-27 | 42 | Behind the Scenes of a Phishing Attack: How DMARC Protects Against Phishing and Spoofing Threats | ||
| Details | Website | 2023-06-27 | 14 | Unveiling Wagner Group's Cyber-Recruitment | ||
| Details | Website | 2023-06-23 | 100 | Securonix Threat Labs Security Advisory: New MULTI#STORM Attack Campaign Involving Python-based Loader Masquerading as OneDrive Utilities Dropping Multiple RAT Payloads Using Security Analytics | ||
| Details | Website | 2023-06-22 | 809 | US-CERT Vulnerability Summary for the Week of June 12, 2023 - RedPacket Security | ||
| Details | Website | 2023-06-22 | 30 | Mallox Ransomware Implements New Infection Strategy | ||
| Details | Website | 2023-06-16 | 41 | New Malware Campaign Targets LetsVPN Users | ||
| Details | Website | 2023-06-14 | 60 | Shampoo: A New ChromeLoader Campaign | HP Wolf Security | ||
| Details | Website | 2023-06-13 | 56 | Threat Trends: Snort IPS | ||
| Details | Website | 2023-06-13 | 46 | Threat Actor Targets Russian Gaming Community With WannaCry-Imitator | ||
| Details | Website | 2023-06-09 | 207 | Over 45 thousand Users Fell Victim to Malicious PyPI Packages | ||
| Details | Website | 2023-06-08 | 32 | Unmasking the Darkrace Ransomware Gang | ||
| Details | Website | 2023-06-07 | 31 | RomCom Resurfaces: Targeting Politicians in Ukraine and U.S.-Based Healthcare Providing Aid to Refugees from Ukraine | ||
| Details | Website | 2023-06-06 | 27 | Anomali Cyber Watch: LEMURLOOT on Exploited MOVEit Transfers, Zero-Click iOS Exploit Targeted Kaspersky, Qakbot Turns Bots into Proxies | ||
| Details | Website | 2023-06-01 | 34 | SharpPanda APT Campaign Expands its Arsenal Targeting G20 Nations | ||
| Details | Website | 2023-05-25 | 15 | Obsidian ORB Ransomware Demands Gift Cards as Payment | ||
| Details | Website | 2023-05-25 | 43 | Invicta Stealer Spreading Through Phony GoDaddy Refund Invoices |