T1204 - User Execution#
An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.
While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user’s desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.
Adversaries may also deceive users into performing actions such as enabling Remote Access Software, allowing direct control of the system to the adversary, or downloading and executing malware for User Execution. For example, tech support scams can be facilitated through Phishing, vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or Remote Access Software.(Citation: Telephone Attack Delivery)
Atomic Tests:#
Currently, no tests are available for this technique.
Detection#
Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads.
Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user’s computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).
Shield Active Defense#
Detonate Malware#
Execute malware under controlled conditions to analyze its functionality.
An execution environment can range from a somewhat sterile commercial malware execution appliance, to a bespoke system crafted to meet engagement goals. The execution environment will typically be highly instrumented and have special controls to ensure the experiment is contained and harmless to unrelated systems.
Opportunity#
There is an opportunity to study the adversary and collect first-hand observations about them and their tools.
Use Case#
A defender can execute adversary malware on a decoy system and examine its behaviors or potentially engage with the adversary to obtain further intelligence.
Procedures#
Take malware received via spearphishing and detonate it on an isolated system in order to collect execution and network communication artifacts. Detonate a malware sample in a decoy network to engage with an adversary and study their TTPs.