T1204

Linux Windows macOS IaaS Containers
User Execution

Description

An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link.

These user actions will typically be observed as follow-on behavior from forms of Phishing. While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it.

  • Running malicious JavaScript in their browser, allowing adversaries to Steal Web Session Cookies
  • Downloading and executing malware for User Execution
  • Coerceing users to copy, paste, and execute malicious code manually For example, tech support scams can be facilitated through Phishing, vishing, or various forms of user interaction.

Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or Remote Access Tools.

Sub-techniques

T1204.001 — Malicious Link T1204.002 — Malicious File T1204.003 — Malicious Image T1204.004 — Malicious Copy and Paste T1204.005 — Malicious Library