Description
An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.
While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.
Adversaries may also deceive users into performing actions such as:
Enabling Remote Access Tools, allowing direct control of the system to the adversary Running malicious JavaScript in their browser, allowing adversaries to Steal Web Session Cookies(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023) Downloading and executing malware for User Execution Coerceing users to copy, paste, and execute malicious code manually(Citation: Reliaquest-execution)(Citation: proofpoint-selfpwn)
For example, tech support scams can be facilitated through Phishing, vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or Remote Access Tools.(Citation: Telephone Attack Delivery)
Platforms
Sub-Techniques (5)
Malicious Link
T1204.002Malicious File
T1204.003Malicious Image
T1204.004Malicious Copy and Paste
T1204.005Malicious Library
Mitigations (6)
User TrainingM1017
Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.
Execution PreventionM1038
Application control may be able to prevent the running of executables masquerading as other files.
Behavior Prevention on EndpointM1040
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent executable files from running unless they meet a prevalence, age, or trusted list criteria and to prevent Office applications from creating potentially malicious executable content by blocking malicious code from being written to disk. Note: cloud-delivered protection must be enabled to use certain rules. (Citation: win10_asr)
Restrict Web-Based ContentM1021
If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files.
Network Intrusion PreventionM1031
If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity.
Limit Software InstallationM1033
Where possible, consider requiring developers to pull from internal repositories containing verified and approved packages rather than from external ones.
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) has impersonated organization IT and helpdesk staff to instruct victims to execute commercia... |
| G1004 | LAPSUS$ | [LAPSUS$](https://attack.mitre.org/groups/G1004) has recruited target organization employees or contractors who provide credentials and approve an ass... |
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S1213 | Lumma Stealer | Malware | [Lumma Stealer](https://attack.mitre.org/software/S1213) has been distributed through a fake CAPTCHA that presents instructions to the victim to open ... |
| S1130 | Raspberry Robin | Malware | [Raspberry Robin](https://attack.mitre.org/software/S1130) execution can rely on users directly interacting with malicious LNK files.(Citation: Micros... |
References
- Brian Krebs. (2023, May 30). Discord Admins Hacked by Malicious Bookmarks. Retrieved January 2, 2024.
- Reliaquest. (2024, May 31). New Execution Technique in ClearFake Campaign. Retrieved August 2, 2024.
- Selena Larson, Sam Scholten, Timothy Kromphardt. (2021, November 4). Caught Beneath the Landline: A 411 on Telephone Oriented Attack Delivery. Retrieved January 5, 2022.
- Tiago Pereira. (2023, November 2). Attackers use JavaScript URLs, API forms and more to scam users in popular online game “Roblox”. Retrieved January 2, 2024.
- Tommy Madjar, Dusty Miller, Selena Larson. (2024, June 17). From Clipboard to Compromise: A PowerShell Self-Pwn. Retrieved August 2, 2024.
Frequently Asked Questions
What is T1204 (User Execution)?
T1204 is a MITRE ATT&CK technique named 'User Execution'. It belongs to the Execution tactic(s). An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a maliciou...
How can T1204 be detected?
Detection of T1204 (User Execution) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1204?
There are 6 documented mitigations for T1204. Key mitigations include: User Training, Execution Prevention, Behavior Prevention on Endpoint, Restrict Web-Based Content, Network Intrusion Prevention.
Which threat groups use T1204?
Known threat groups using T1204 include: Scattered Spider, LAPSUS$.