Common Information
| Type | Value |
|---|---|
| Value |
User Execution - T1204 |
| Category | Attack-Pattern |
| Type | Mitre-Enterprise-Attack-Attack-Pattern |
| Misp Type | Cluster |
| Description | An adversary may rely upon specific actions by a user in order to gain execution. This may be direct code execution, such as when a user opens a malicious executable delivered via Spearphishing Attachment with the icon and apparent extension of a document file. It also may lead to other execution techniques, such as when a user clicks on a link delivered via Spearphishing Link that leads to exploitation of a browser or application vulnerability via Exploitation for Client Execution. While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. Detection: Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads. Anti-virus can potentially detect malicious documents and files that are downloaded and execuited on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as Exploitation for Client Execution and Scripting. Platforms: Linux, Windows, macOS Data Sources: Anti-virus, Process command-line parameters, Process monitoring Permissions Required: User |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2023-04-21 | 23 | Qakbot Malware Continues to Morph | ||
| Details | Website | 2023-04-20 | 56 | Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack | WeLiveSecurity | ||
| Details | Website | 2023-04-20 | 65 | Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack | WeLiveSecurity | ||
| Details | Website | 2023-04-20 | 481 | ATT&CK Changes | ||
| Details | Website | 2023-04-19 | 178 | New TACTICAL#OCTOPUS Attack Campaign Targets US Entities with Malware Bundled in Tax-Themed Documents | ||
| Details | Website | 2023-04-19 | 5 | NVD - CVE-2023-21083 | ||
| Details | Website | 2023-04-18 | 28 | CrossLock Ransomware Emerges: New GoLang-Based Malware On the Horizon | ||
| Details | Website | 2023-04-17 | 32 | Stealer Malware Analysis: With file padding to avoid detection. | ||
| Details | Website | 2023-04-17 | 21 | MITRE | TryHackMe (THM) | ||
| Details | Website | 2023-04-10 | 25 | Attack chain leads to XWORM and AGENTTESLA — Elastic Security Labs | ||
| Details | Website | 2023-04-03 | 22 | Anomali Cyber Watch: Balada Injector Exploits WordPress Elementor Pro, Icon 3CX Stealer Detected by YARA, Koi Loader-Stealer Compresses-then-Encrypts Memory Streams | ||
| Details | Website | 2023-04-03 | 29 | Cl0p Ransomware: Active Threat Plaguing Businesses Worldwide | ||
| Details | Website | 2023-04-01 | 28 | 3CX Desktop App targeted in supply chain attack | ||
| Details | Website | 2023-03-30 | 141 | New TACTICAL#OCTOPUS Attack Campaign Targets US Entities with Malware Bundled in Tax-Themed Documents | ||
| Details | Website | 2023-03-28 | 32 | Anomali Cyber Watch: Bitter Spies on Chinese Nuclear Energy, Kimsuky Takes Over Google Account to Infect Connected Android Devices, Bad Magic APT Targets Occupied Parts of Ukraine | ||
| Details | Website | 2023-03-27 | 862 | Vulnerability Summary for the Week of March 20, 2023 | CISA | ||
| Details | Website | 2023-03-23 | 60 | New loader on the bloc - AresLoader | ||
| Details | Website | 2023-03-23 | 16 | Cybercriminals Exploit SVB’s Collapse; Emotet Returns & BatLoader Abuses Google Ads | ||
| Details | Website | 2023-03-23 | 78 | Earth Preta Updated Stealthy Strategies | ||
| Details | Website | 2023-03-23 | 68 | Cinoshi Project and the Dark Side of Free MaaS | ||
| Details | Website | 2023-03-23 | 78 | Earth Preta Updated Stealthy Strategies | ||
| Details | Website | 2023-03-23 | 80 | Earth Preta Updated Stealthy Strategies | ||
| Details | Website | 2023-03-22 | 9 | APT Profile: Sandworm - SOCRadar® Cyber Intelligence Inc. | ||
| Details | Website | 2023-03-21 | 52 | Notorious SideCopy APT group sets sights on India's DRDO | ||
| Details | Website | 2023-03-17 | 52 | Recent Emotet Spam Campaign Utilizing New Tactics |