User Execution

An adversary may rely upon specific actions by a user in order to gain execution. This may be direct code execution, such as when a user opens a malicious executable delivered via Spearphishing Attachment with the icon and apparent extension of a document file. It also may lead to other execution techniques, such as when a user clicks on a link delivered via Spearphishing Link that leads to exploitation of a browser or application vulnerability via Exploitation for Client Execution. While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it.

ID: T1204

Tactic: Execution

Platform:  Linux, Windows, macOS

Permissions Required:  User

Data Sources:  Anti-virus, Process command-line parameters, Process monitoring

Version: 1.0

Mitigations

Mitigation Description
Execution Prevention Application whitelisting may be able to prevent the running of executables masquerading as other files.
Network Intrusion Prevention If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity.
Restrict Web Based Content If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files in Obfuscated Files or Information.
User Training Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.

Examples

Name Description
APT12

APT12 has attempted to get victims to open malicious Microsoft Word and PDF attachment sent via spearphishing.[1][2]

APT19

APT19 attempted to get users to launch malicious attachments delivered via spearphishing emails.[3]

APT28

APT28 attempted to get users to click on Microsoft Office attachments containing malicious macro scripts.[4][5]

APT29

APT29 has used various forms of spearphishing attempting to get a user to open links or attachments, including, but not limited to, malicious Microsoft Word documents, .pdf, and .lnk files.[6][7]

APT32

APT32 has attempted to lure users to execute a malicious dropper delivered via a spearphishing attachment.[8][9][10]

APT33

APT33 has lured users to click links to malicious HTML applications delivered via spearphishing emails.[11][12]

APT37

APT37 has sent spearphishing attachments attempting to get a user to open them.[13]

APT39

APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious attachment or link.[14]

BRONZE BUTLER

BRONZE BUTLER has attempted to get users to launch malicious Microsoft Word attachments delivered via spearphishing emails.[15]

Cardinal RAT

Cardinal RAT lures victims into executing malicious macros embedded within Microsoft Excel documents.[16]

Cobalt Group

Cobalt Group has sent emails containing malicious attachments or links that require users to execute a file or macro to infect the victim machine.[17][18]

Dark Caracal

Dark Caracal makes their malware look like Flash Player, Office, or PDF documents in order to entice a user to click on it.[19]

Darkhotel

Darkhotel sent spearphishing emails with malicious attachments that required users to click on an image in the document to drop the malware to disk.[20]

DarkHydrus

DarkHydrus has sent malware that required users to hit the enable button in Microsoft Excel to allow an .iqy file to be downloaded.[21][22]

Dragonfly 2.0

Dragonfly 2.0 has used various forms of spearphishing in attempts to get users to open links or attachments.[23][24]

Elderwood

Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open links and attachments.[25][26]

Emotet

Emotet has relied upon users clicking on a malicious link or attachment delivered through spearphishing.[27][28]

FIN4

FIN4 has lured victims to launch malicious attachments and click malicious links delivered via spearphishing emails (often sent from compromised accounts).[29][30]

FIN7

FIN7 lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file.[31]

FIN8

FIN8 has leveraged both Spearphishing Link and Spearphishing Attachment attempting to gain User Execution.[32][33][34]

Gallmaker

Gallmaker sent victims a lure document with a warning that asked victims to "enable content" for execution.[35]

Gorgon Group

Gorgon Group attempted to get users to launch malicious Microsoft Office attachments delivered via spearphishing emails.[36]

JCry

JCry has achieved execution by luring users to click on a file that appeared to be an Adobe Flash Player update installer.[37]

Lazarus Group

Lazarus Group has attempted to get users to launch a malicious Microsoft Word attachment delivered via a spearphishing email.[38]

Leviathan

Leviathan has sent spearphishing emails links and attachments attempting to get a user to click.[39]

Magic Hound

Magic Hound has attempted to get users to execute malware via social media and spearphishing emails.[40]

menuPass

menuPass has attempted to get victims to open malicious files such as Windows Shortcuts (.lnk) and/or Microsoft Office documents, sent via email as part of spearphishing campaigns.[41][42][43][44][45]

MuddyWater

MuddyWater has attempted to get users to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails.[46][47][48][49]

Night Dragon

Night Dragon enticed users to click on links in spearphishing emails to download malware.[50]

OilRig

OilRig has delivered malicious links and macro-enabled documents that required targets to click the "enable content" button to execute the payload on the system.[51][52][53]

Patchwork

Patchwork embedded a malicious macro in a Word document and lured the victim to click on an icon to execute the malware.[54][55]

PLATINUM

PLATINUM has attempted to get users to open malicious files by sending spearphishing emails with attachments to victims.[56]

Rancor

Rancor attempted to get users to click on an embedded macro within a Microsoft Office Excel document to launch their malware.[57]

Silence

Silence attempts to get users to launch malicious attachments delivered via spearphishing emails.[58][59]

SQLRat

SQLRat relies on users clicking on an embedded image to execute the scripts.[60]

TA459

TA459 has attempted to get victims to open malicious Microsoft Word attachment sent via spearphishing.[61]

TA505

TA505 has used lures to get users to click links in emails and attachments, enable content in malicious attachments, and execute malicious files contained in archives. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. [62][63][64][65][66][67]

The White Company

The White Company has used phishing lure documents that trick users into opening them and infecting their computers.[68]

TrickBot

TrickBot has attempted to get users to launch a malicious Excel attachment to deliver its payload.[69]

Turla

Turla has used spearphishing via a link to get users to download and run their malware.[70]

TYPEFRAME

A Word document delivering TYPEFRAME prompts the user to enable macro execution.[71]

Detection

Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads.

Anti-virus can potentially detect malicious documents and files that are downloaded and execuited on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as Exploitation for Client Execution and Scripting.

References

  1. Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin’s Favorite APT Group [Blog]. Retrieved November 12, 2014.
  2. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
  3. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
  4. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  5. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  6. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  7. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
  8. Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.
  9. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  10. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  11. O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
  12. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  13. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  14. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
  15. DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018.
  16. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  17. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  18. Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018.
  19. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  20. Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.
  21. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  22. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  23. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  24. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  25. O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.
  26. Clayton, M.. (2012, September 14). Stealing US business secrets: Experts ID two huge cyber 'gangs' in China. Retrieved February 15, 2018.
  27. Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019.
  28. Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019.
  29. Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
  30. Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019.
  31. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  32. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
  33. Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
  34. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  35. Symantec Security Response. (2018, October 10). Gallmaker: New Attack Group Eschews Malware to Live off the Land. Retrieved November 27, 2018.
  36. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  1. Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019.
  2. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  3. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  4. Counter Threat Unit Research Team. (2017, July 27). The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets. Retrieved February 26, 2018.
  5. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  6. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  7. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
  8. United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.
  9. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  10. Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
  11. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  12. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  13. Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.
  14. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  15. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  16. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  17. Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.
  18. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  19. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  20. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  21. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  22. Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019.
  23. GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019.
  24. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
  25. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
  26. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
  27. Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019.
  28. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  29. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.
  30. Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019.
  31. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
  32. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  33. Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019.
  34. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  35. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.