DET0791: Detection of User Execution
DET0791 is a detection strategy for User Execution in the ICS ATT&CK domain. Its business significance is that malicious activity may depend on a legitimat...
Analyst context for executives and security teams
DET0791 is a detection strategy for User Execution in the ICS ATT&CK domain. Its business significance is that malicious activity may depend on a legitimate user opening an attachment, installing software, enabling scripting, or granting elevated document permissions. For security leaders, this makes user-facing controls, evidence collection, and response playbooks important because the initial execution may look like normal human activity rather than a clearly external intrusion.
Executive priority
Treat this as a readiness question: can the organization prove when user-driven execution occurs in environments that support critical operations, and can the SOC distinguish routine user activity from risky attachment, installer, or scripting behavior? Because the ATT&CK object provides no official detection logic or platform scope, leaders should prioritize validation of logging coverage, user-awareness controls, application execution governance, and incident response decision points before assuming coverage exists.
Technical view
This detection strategy is related to ICS technique T0863, User Execution. SOC and IR teams should validate whether they can observe user-initiated execution paths described in the related technique: opening email attachments, installing applications, enabling scripting or write access in documents, and granting higher permissions to documents. Because ATT&CK does not specify platforms, tactics, or detection analytics for DET0791, detection engineering should be environment-specific and should focus on correlating user action, file origin, application launch, script or macro enablement, and subsequent process or file activity.
Likely telemetry
- Endpoint process execution and application launch records where collected
- File open, create, modify, and write events for documents, attachments, and installers
- Email or messaging security logs showing attachment delivery and user interaction where available
- Document scripting, macro, or write-access enablement events where logged
- Application installation records and software inventory changes
Detection direction
- Confirm which systems actually collect user-action and execution telemetry; do not assume coverage because the strategy has no official detection text.
- Correlate attachment or installer access with subsequent process execution, file writes, script enablement, or permission changes.
- Tune for context: legitimate document workflows and approved software installs can create false positives, especially where users routinely handle operational files or vendor-provided installers.
- Look for blind spots around unmanaged workstations, shared accounts, limited endpoint logging, and environments where email, document, or installer activity is not centrally recorded.
- Use the relationship to T0863 to scope detections around user-dependent execution rather than purely automated malware execution.
Mitigation priorities
- Establish or validate logging for user-initiated execution paths before relying on analytic coverage.
- Restrict or govern risky document scripting, macro execution, write-access enablement, and unapproved software installation according to business need.
- Strengthen user awareness and handling procedures for attachments, installers, and permission prompts, especially for users supporting operational environments.
- Maintain software allowlisting or application control where feasible, with an exception process that supports operations without normalizing untracked installs.
- Ensure IR playbooks capture the user action, file source, execution chain, and containment decisions needed for evidence and audit readiness.
Analyst notes and limits
The supplied ATT&CK object is a detection strategy with no official description, no official detection text, no specified platforms, and no tactics. The only behavioral context comes from its relationship to ICS technique T0863, User Execution. The practical value is therefore in using it as a coverage-validation prompt rather than as a ready-made analytic.
This take does not assert active exploitation, specific malware, attribution, platform coverage, or guaranteed detection. Local architecture, logging configuration, user workflows, and control design are required to turn this strategy into deployable detections or risk decisions.
Detection of User Execution
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0863 | User Execution | This object detects User Execution. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 1fd39a67b011… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0791Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.