Esc
User Execution - T1204
(ATT&CK® Technique)
Definition
An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1204["User Execution"] --> |accesses| URL["URL"]; class T1204 OffensiveTechniqueNode;
class URL ArtifactNode; click URL href "/dao/artifact/d3f:URL";
click T1204 href "/offensive-technique/attack/T1204/"; click URL href "/dao/artifact/d3f:URL"; T1204["User Execution"] --> |executes| ExecutableFile["Executable File"]; class T1204 OffensiveTechniqueNode;
class ExecutableFile ArtifactNode; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile";
click T1204 href "/offensive-technique/attack/T1204/"; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; T1204["User Execution"] --> |produces| OutboundInternetWebTraffic["Outbound Internet Web Traffic"]; class T1204 OffensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode; click OutboundInternetWebTraffic href "/dao/artifact/d3f:OutboundInternetWebTraffic";
click T1204 href "/offensive-technique/attack/T1204/"; click OutboundInternetWebTraffic href "/dao/artifact/d3f:OutboundInternetWebTraffic"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1204["User Execution"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1204["User Execution"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; DecoyFile["Decoy File"] -->
| spoofs | ExecutableFile["Executable File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1204["User Execution"] ;
class DecoyFile DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1204["User Execution"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1204["User Execution"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1204["User Execution"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1204["User Execution"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1204["User Execution"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; RelayPatternAnalysis["Relay Pattern Analysis"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
RelayPatternAnalysis["Relay Pattern Analysis"] -.->
| may-detect | T1204["User Execution"] ;
class RelayPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click RelayPatternAnalysis href "/technique/d3f:RelayPatternAnalysis"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1204["User Execution"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; URLAnalysis["URL Analysis"] -->
| analyzes | URL["URL"];
URLAnalysis["URL Analysis"] -.->
| may-detect | T1204["User Execution"] ;
class URLAnalysis DefensiveTechniqueNode;
class URL ArtifactNode;
click URLAnalysis href "/technique/d3f:URLAnalysis"; IdentifierActivityAnalysis["Identifier Activity Analysis"] -->
| analyzes | URL["URL"];
IdentifierActivityAnalysis["Identifier Activity Analysis"] -.->
| may-detect | T1204["User Execution"] ;
class IdentifierActivityAnalysis DefensiveTechniqueNode;
class URL ArtifactNode;
click IdentifierActivityAnalysis href "/technique/d3f:IdentifierActivityAnalysis"; HomoglyphDetection["Homoglyph Detection"] -->
| analyzes | URL["URL"];
HomoglyphDetection["Homoglyph Detection"] -.->
| may-detect | T1204["User Execution"] ;
class HomoglyphDetection DefensiveTechniqueNode;
class URL ArtifactNode;
click HomoglyphDetection href "/technique/d3f:HomoglyphDetection"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1204["User Execution"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ExecutableFile["Executable File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1204["User Execution"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
| deletes | ExecutableFile["Executable File"];
FileEviction["File Eviction"] -.->
| may-evict | T1204["User Execution"] ;
class FileEviction DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
| encrypts | ExecutableFile["Executable File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1204["User Execution"] ;
class FileEncryption DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ExecutableFile["Executable File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1204["User Execution"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1204["User Execution"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | ExecutableFile["Executable File"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1204["User Execution"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; RestoreFile["Restore File"] -->
| restores | ExecutableFile["Executable File"];
RestoreFile["Restore File"] -.->
| may-restore | T1204["User Execution"] ;
class RestoreFile DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; FileAnalysis["File Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1204["User Execution"] ;
class FileAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | ExecutableFile["Executable File"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1204["User Execution"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; URLReputationAnalysis["URL Reputation Analysis"] -->
| analyzes | URL["URL"];
URLReputationAnalysis["URL Reputation Analysis"] -.->
| may-detect | T1204["User Execution"] ;
class URLReputationAnalysis DefensiveTechniqueNode;
class URL ArtifactNode;
click URLReputationAnalysis href "/technique/d3f:URLReputationAnalysis"; OutboundTrafficFiltering["Outbound Traffic Filtering"] -->
| filters | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];
OutboundTrafficFiltering["Outbound Traffic Filtering"] -.->
| may-isolate | T1204["User Execution"] ;
class OutboundTrafficFiltering DefensiveTechniqueNode;
class OutboundInternetWebTraffic ArtifactNode;
click OutboundTrafficFiltering href "/technique/d3f:OutboundTrafficFiltering"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | ExecutableFile["Executable File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1204["User Execution"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";