This micro emulation plan targets malicious activity associated with T1204 User Execution. User execution is commonly abused by adversaries as a means of executing malicious payloads. This behavior specifically highlights execution invoked by the victim in the form of clicking or otherwise invoking malicious code from phishing or other delivery campaigns.
Table Of Contents:
- Description of Emulated Behaviors
- Cyber Threat Intel / Background
- Execution Instructions / Resources
- Defensive Lessons Learned
What are we doing? This module provide an easy-to-execute tool for invoking various types of payloads that emulate the mechanics of a user executing an adversary's malicious payload. These modules support 3 variants that each:
- Plant the malicious payload on disk
- Invoke command execution through the payload file(s)
Why should you care? T1204 User Execution is commonly abused as a follow-up to Initial Access via T1566 Phishing where adversaries rely on users to execute delivered payloads. These payloads are typically file formats that facilitate the execution of commands and lead to follow-on activities by downloading and staging additional payloads onto the victim host.
This repository includes modules that execute three variants of user execution:
- Office documents containing macros: README_macros.md
- Shortcut (LNK) files containing PowerShell commands: README_shortcut.md
- Container (ISO) files containing commands in a batch script: README_bypass.md
Malicious user execution can be difficult to distinguish from benign user/system
activity, though payloads executed through user click interactions typically can
be identified by monitoring child processes of explorer.exe.
<Sysmon schemaversion="4.30">
<EventFiltering>
<RuleGroup name="" groupRelation="or">
<ProcessCreate onmatch="include">
<ParentCommandLine name="technique_id=T1204,technique_name=User Execution" condition="is">C:\Windows\explorer.exe</ParentCommandLine>
<ParentImage name="technique_id=T1204,technique_name=User Execution" condition="is">C:\Windows\explorer.exe</ParentImage>
</ProcessCreate>
</RuleGroup>
</EventFiltering>
</Sysmon>Excerpted from github.com/olafhartong/sysmon-modular.
User execution targeting Microsoft Office files may also be detected via modules loads associated with script/command execution. Detection efforts may also focus on identifying abnormal process behavior that may be a side-effect of malicious user execution, such as Office applications spawning command interpreters, creating additional files commonly abused as malicious payloads, or generating network traffic.
User execution may be difficult if not impossible to mitigate given that user execution is strongly associated with benign behavior. Efforts can be rather focused on blocking known, detectable patterns of abuse such as filtering email and other delivery of specific file types, blocking execution of risky Office macros, as well as disabling the functionality to mount ISO image files.