User Execution

Adversaries may rely on a targeted organizations user interaction for the execution of malicious code. User interaction may consist of installing applications, opening email attachments, or granting higher permissions to documents.

Adversaries may embed malicious code or visual basic code into files such as Microsoft Word and Excel documents or software installers. [1] Execution of this code requires that the user enable scripting or write access within the document. Embedded code may not always be noticeable to the user especially in cases of trojanized software. [2]

A Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012 delivered malware through spearphishing attachments which required user action to achieve execution. [3]

ID: T0863
Sub-techniques:  No sub-techniques
Tactic: Execution
Platforms: None
Version: 1.1
Created: 21 May 2020
Last Modified: 13 October 2023

Procedure Examples

ID Name Description
S0093 Backdoor.Oldrea

Execution of Backdoor.Oldrea relies on a user opening a trojanized installer attached to an email. [2] [4]

S0606 Bad Rabbit

Bad Rabbit is disguised as an Adobe Flash installer. When the file is opened it starts locking the infected computer. [5]

S0496 REvil

REvil initially executes when the user clicks on a JavaScript file included in the phishing emails .zip attachment. [6]

S0603 Stuxnet

Stuxnet infects DLL's associated with the WinCC Simatic manager which are responsible for opening project files. If a user opens an uninfected project file using a compromised manager, the file will be infected with Stuxnet code. If an infected project is opened with the Simatic manager, the modified data file will trigger a search for the xyz.dll file. If the xyz.dll file is not found in any of the specified locations, the malicious DLL will be loaded and executed by the manager. [7]

Targeted Assets

ID Asset
A0002 Human-Machine Interface (HMI)
A0012 Jump Host
A0001 Workstation

Mitigations

ID Mitigation Description
M0949 Antivirus/Antimalware

Ensure anti-virus solution can detect malicious files that allow user execution (e.g., Microsoft Office Macros, program installers).

M0945 Code Signing

Prevent the use of unsigned executables, such as installers and scripts.

M0938 Execution Prevention

Application control may be able to prevent the running of executables masquerading as other files.

M0931 Network Intrusion Prevention

If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity.

M0921 Restrict Web-Based Content

If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files.

M0917 User Training

Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor for application logging, messaging, and/or other artifacts that may rely upon specific actions by a user in order to gain execution.

DS0017 Command Command Execution

Monitor for newly executed processes that depend on user interaction, especially for applications that can embed programmatic capabilities (e.g., Microsoft Office products with scripts, installers, zip files). This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads. For added context on adversary procedures and background see User Execution and applicable sub-techniques.

DS0022 File File Access

Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning PowerShell).

DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed web-based network connections that are sent to malicious or suspicious destinations (e.g., destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g., monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, SCF, HTA, MSI, DLLs, or msiexec.exe).

Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated with web-based network connections that are sent to malicious or suspicious destinations (e.g., destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g., monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, SCF, HTA, MSI, DLLs, or msiexec.exe).

DS0009 Process Process Creation

Monitor for newly executed processes that depend on user interaction, especially for applications that can embed programmatic capabilities (e.g., Microsoft Office products with scripts, installers, zip files). This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads.

References