EXPLORE
Sign In
← Back to Explore
T1204

User Execution

An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566). While [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other ph...

LinuxWindowsmacOSIaaSContainers
84
Detections
3
Sources
2
Threat Actors

BY SOURCE

50elastic27splunk_escu7sigma

PROCEDURES (56)

General Monitoring7 detections

Auto-extracted: 7 detections for general monitoring

Script Execution Monitoring4 detections

Auto-extracted: 4 detections for script execution monitoring

Process Creation Monitoring4 detections

Auto-extracted: 4 detections for process creation monitoring

Command And Control4 detections

Auto-extracted: 4 detections for command and control

Lateral3 detections

Auto-extracted: 3 detections for lateral

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Anomal2 detections

Auto-extracted: 2 detections for anomal

Download2 detections

Auto-extracted: 2 detections for download

Ransomware2 detections

Auto-extracted: 2 detections for ransomware

Child Process2 detections

Auto-extracted: 2 detections for child process

Base642 detections

Auto-extracted: 2 detections for base64

Privilege2 detections

Auto-extracted: 2 detections for privilege

Phish2 detections

Auto-extracted: 2 detections for phish

Email2 detections

Auto-extracted: 2 detections for email

Masquerad2 detections

Auto-extracted: 2 detections for masquerad

Network Connection Monitoring2 detections

Auto-extracted: 2 detections for network connection monitoring

Service1 detections

Auto-extracted: 1 detections for service

Persist1 detections

Auto-extracted: 1 detections for persist

Lateral1 detections

Auto-extracted: 1 detections for lateral

Anomal1 detections

Auto-extracted: 1 detections for anomal

Lateral1 detections

Auto-extracted: 1 detections for lateral

Privilege1 detections

Auto-extracted: 1 detections for privilege

Macro1 detections

Auto-extracted: 1 detections for macro

Unusual1 detections

Auto-extracted: 1 detections for unusual

Email1 detections

Auto-extracted: 1 detections for email

Persist1 detections

Auto-extracted: 1 detections for persist

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Phish1 detections

Auto-extracted: 1 detections for phish

Phish1 detections

Auto-extracted: 1 detections for phish

Obfuscat1 detections

Auto-extracted: 1 detections for obfuscat

Obfuscat1 detections

Auto-extracted: 1 detections for obfuscat

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Remote1 detections

Auto-extracted: 1 detections for remote

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Remote1 detections

Auto-extracted: 1 detections for remote

Office1 detections

Auto-extracted: 1 detections for office

Child Process1 detections

Auto-extracted: 1 detections for child process

Macro1 detections

Auto-extracted: 1 detections for macro

Child Process1 detections

Auto-extracted: 1 detections for child process

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Macro1 detections

Auto-extracted: 1 detections for macro

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Remote1 detections

Auto-extracted: 1 detections for remote

Persist1 detections

Auto-extracted: 1 detections for persist

Base641 detections

Auto-extracted: 1 detections for base64

Evasion1 detections

Auto-extracted: 1 detections for evasion

Evasion1 detections

Auto-extracted: 1 detections for evasion

Download1 detections

Auto-extracted: 1 detections for download

Office1 detections

Auto-extracted: 1 detections for office

Download1 detections

Auto-extracted: 1 detections for download

Email1 detections

Auto-extracted: 1 detections for email

Container1 detections

Auto-extracted: 1 detections for container

Anomal1 detections

Auto-extracted: 1 detections for anomal

Privilege1 detections

Auto-extracted: 1 detections for privilege

Persist1 detections

Auto-extracted: 1 detections for persist

Container1 detections

Auto-extracted: 1 detections for container

THREAT ACTORS (2)

LAPSUS$Scattered Spider

DETECTIONS (84)

Anomalous Process For a Windows Population
elasticlow
Anomalous Windows Process Creation
elasticlow
Antivirus Hacktool Detection
sigmahigh
Arbitrary Shell Command Execution Via Settingcontent-Ms
sigmamedium
AWS Lambda UpdateFunctionCode
splunk_escu
Base64 Decoded Payload Piped to Interpreter
elastichigh
Cisco Secure Firewall - Lumma Stealer Activity
splunk_escu
Clop Common Exec Parameter
splunk_escu
Conti Common Exec parameter
splunk_escu
Decoded Payload Piped to Interpreter Detected via Defend for Containers
elastichigh
Detect Rare Executables
splunk_escu
Downloaded Shortcut Files
elasticmedium
Downloaded URL Files
elasticmedium
Elastic Defend Alert Followed by Telemetry Loss
elastichigh
Encoded Payload Detected via Defend for Containers
elasticmedium
Executable File Creation with Multiple Extensions
elasticmedium
Executable File Download via Wget
elasticmedium
Execution of a Downloaded Windows Script
elasticmedium
Execution of File Written or Modified by Microsoft Office
elastichigh
File with Right-to-Left Override Character (RTLO) Created/Executed
elasticmedium
Gatekeeper Override and Execution
elastichigh
Google Workspace Object Copied to External Drive with App Consent
elasticmedium
Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers
elastichigh
Kubernetes Anomalous Inbound Network Activity from Process
splunk_escu
Kubernetes Anomalous Inbound Outbound Network IO
splunk_escu
Kubernetes Anomalous Inbound to Outbound Network IO Ratio
splunk_escu
Kubernetes Anomalous Outbound Network Activity from Process
splunk_escu
Kubernetes Anomalous Traffic on Network Edge
splunk_escu
Kubernetes Create or Update Privileged Pod
splunk_escu
Kubernetes DaemonSet Deployed
splunk_escu
Kubernetes Falco Shell Spawned
splunk_escu
Kubernetes newly seen TCP edge
splunk_escu
Kubernetes newly seen UDP edge
splunk_escu
Kubernetes Node Port Creation
splunk_escu
Kubernetes Pod Created in Default Namespace
splunk_escu
Kubernetes Pod With Host Network Attachment
splunk_escu
Kubernetes Previously Unseen Container Image Name
splunk_escu
Kubernetes Previously Unseen Process
splunk_escu
Kubernetes Process Running From New Path
splunk_escu
Kubernetes Process with Anomalous Resource Utilisation
splunk_escu
Kubernetes Process with Resource Ratio Anomalies
splunk_escu
Kubernetes Shell Running on Worker Node
splunk_escu
Kubernetes Shell Running on Worker Node with CPU Activity
splunk_escu
Kubernetes Unauthorized Access
splunk_escu
Malicious File - Detected - Elastic Defend
elasticmedium
Malicious File - Prevented - Elastic Defend
elasticlow
Masquerading Space After Filename
elasticmedium
Microsoft Build Engine Started by an Office Application
elastichigh
Microsoft Management Console File from Unusual Path
elasticmedium
MS Office Macro Security Registry Modifications
elasticmedium
Multi-Base64 Decoding Attempt from Suspicious Location
elasticmedium
Network Connection via Compiled HTML File
elasticlow
Network Traffic to Rare Destination Country
elasticlow
Node.js Pre or Post-Install Script Execution
elasticmedium
Payload Decoded and Decrypted via Built-in Utilities
sigmamedium
Potential Execution via FileFix Phishing Attack
elastichigh
Potential Fake CAPTCHA Phishing Attack
elastichigh
Potential Hex Payload Execution via Command-Line
elasticlow
Potential Hex Payload Execution via Common Utility
elasticlow
Potential Masquerading as Business App Installer
elasticlow
Potential Notepad Markdown RCE Exploitation
elastichigh
Potential Widespread Malware Infection Across Multiple Hosts
elastichigh
Potentially Suspicious WebDAV LNK Execution
sigmamedium
Process Activity via Compiled HTML File
elasticmedium
Remote Desktop File Opened from Suspicious Path
elasticmedium
Revil Common Exec Parameter
splunk_escu
Spike in host-based traffic
elasticlow
Suspicious Apple Mail Rule Plist Modification
elasticmedium
Suspicious Binaries and Scripts in Public Folder
sigmahigh
Suspicious Deno File Written from Remote Source
sigmalow
Suspicious Execution from a Mounted Device
elasticmedium
Suspicious Execution from a WebDav Share
elastichigh
Suspicious Execution from INET Cache
elastichigh
Suspicious Execution from VS Code Extension
elasticmedium
Suspicious Execution via macOS Script Editor
sigmamedium
Suspicious Execution via Microsoft Office Add-Ins
elasticmedium
Suspicious HTML File Creation
elasticmedium
Suspicious macOS MS Office Child Process
elasticmedium
Suspicious MS Outlook Child Process
elasticlow
Suspicious PDF Reader Child Process
elasticlow
Unusual Base64 Encoding/Decoding Activity
elasticlow
Unusual Execution via Microsoft Common Console File
elastichigh
Unusual Windows Path Activity
elasticlow
Windows Script Execution from Archive
elasticmedium