T0863 User Execution
Adversaries may rely on a targeted organizations user interaction for the execution of malicious code. User interaction may consist of installing applications, opening email attachments, or granting higher permissions to documents.
Adversaries may embed malicious code or visual basic code into files such as Microsoft Word and Excel documents or software installers. 1 Execution of this code requires that the user enable scripting or write access within the document. Embedded code may not always be noticeable to the user especially in cases of trojanized software. 2
A Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012 delivered malware through spearphishing attachments which required user action to achieve execution. 3
| Item | Value |
|---|---|
| ID | T0863 |
| Sub-techniques | |
| Tactics | TA0104 |
| Platforms | Engineering Workstation, Human-Machine Interface |
| Version | 1.1 |
| Created | 21 May 2020 |
| Last Modified | 09 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0093 | Backdoor.Oldrea | Execution of Backdoor.Oldrea relies on a user opening a trojanized installer attached to an email. 2 7 |
| S0606 | Bad Rabbit | Bad Rabbit is disguised as an Adobe Flash installer. When the file is opened it starts locking the infected computer. 6 |
| S0496 | REvil | REvil initially executes when the user clicks on a JavaScript file included in the phishing emails .zip attachment. 5 |
| S0603 | Stuxnet | Stuxnet infects DLL’s associated with the WinCC Simatic manager which are responsible for opening project files. If a user opens an uninfected project file using a compromised manager, the file will be infected with Stuxnet code. If an infected project is opened with the Simatic manager, the modified data file will trigger a search for the xyz.dll file. If the xyz.dll file is not found in any of the specified locations, the malicious DLL will be loaded and executed by the manager. 4 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0949 | Antivirus/Antimalware | Ensure anti-virus solution can detect malicious files that allow user execution (e.g., Microsoft Office Macros, program installers). |
| M0945 | Code Signing | Prevent the use of unsigned executables, such as installers and scripts. |
| M0938 | Execution Prevention | Application control may be able to prevent the running of executables masquerading as other files. |
| M0931 | Network Intrusion Prevention | If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity. |
| M0921 | Restrict Web-Based Content | If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files. |
| M0917 | User Training | Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0017 | Command | Command Execution |
| DS0022 | File | File Access |
| DS0029 | Network Traffic | Network Connection Creation |
| DS0009 | Process | Process Creation |
References
-
Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ↩
-
Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ↩↩
-
Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ↩
-
Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ↩
-
Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ↩
-
Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov 2017, October 27 Bad Rabbit Ransomware Retrieved. 2019/10/27 ↩
-
Kyle Wilhoit Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ICS Malware: Havex and Black Energy Retrieved. 2019/10/22 ↩