User Execution (T1204)

An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing. While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing. Adversaries may also deceive users into performing actions such as enabling Remote Access Software, allowing direct control of the system to the adversary, or downloading and executing malware for User Execution. For example, tech support scams can be facilitated through Phishing, vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or Remote Access Software.(Citation: Telephone Attack Delivery)

Related Prelude attack chains
Release Date (Newest)
Search for chains, TTPs, themes, and text

Browse By:


  • All
  • Windows
  • Darwin
  • Linux
  • Global
  • Android




Are MOUSEISLAND malware procedures mitigated on this host?


Emulates procedures found in MOUSEISLAND malware.
Are GootLoader malware procedures mitigated on this host?


Emulates tactics found in GootLoader malware.
APT29 COVID-19 Vaccine Data


Emulating APT29's WellMess malware targeting vaccine research.
APT29 Democratic National Committee


Emulating Cozy Bear's 2016 Democratic National Committee hack.
Conti Recon And Initial Access


Perform recon and initial access of target environment
Android ADB Shell


A first collection of TTPs for Android specifically targeting ADB shell commands
B1-66ER (Initial Access)


Gain initial access by installing SciPy with concealed Schism agent