User Execution

An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.

While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.

ID: T1204
Sub-techniques:  T1204.001, T1204.002, T1204.003
Tactic: Execution
Platforms: Containers, IaaS, Linux, Windows, macOS
Permissions Required: User
Data Sources: Application Log: Application Log Content, Command: Command Execution, Container: Container Creation, Container: Container Start, File: File Creation, Image: Image Creation, Instance: Instance Creation, Instance: Instance Start, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Process: Process Creation
Contributors: Oleg Skulkin, Group-IB
Version: 1.3
Created: 18 April 2018
Last Modified: 20 April 2021


ID Mitigation Description
M1038 Execution Prevention

Application control may be able to prevent the running of executables masquerading as other files.

M1031 Network Intrusion Prevention

If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity.

M1021 Restrict Web-Based Content

If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files.

M1017 User Training

Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.


Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads.

Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).