T0863: User Execution
Adversaries may rely on a targeted organizations user interaction for the execution of malicious code. User interaction may consist of installing applications, opening email attachments, or granting higher permissions to documents.
Adversaries may embed malicious code or visual basic code into files such as Microsoft Word and Excel documents or software installers. [1] Execution of this code requires that the user enable scripting or write access within the document. Embedded code may not always be noticeable to the user especially in cases of trojanized software. [2]
A Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012 delivered malware through spearphishing attachments which required user action to achieve execution. [3]
Analyst context for executives and security teams
User Execution in ICS is the risk that an adversary’s code only runs after a person opens, installs, enables, or grants something. In operational environments, that person may be an engineer, operator, or remote-access user working from a workstation, HMI, or jump host. The business issue is not just phishing awareness; it is whether critical operational access paths can resist unsafe files, trojanized installers, scripts, and permission prompts without disrupting plant availability.
Executive priority
Treat this as a resilience and control-assurance priority for ICS operations. Leaders should ask whether operator and engineering workstations, HMIs, and jump hosts have practical safeguards for attachments, downloads, scripting, application integrity, and user training. This technique is material to audit evidence because coverage depends on proving that user-facing controls, execution prevention, antimalware, web-content restrictions, and network boundary protections are deployed and tested in ways that do not impair real-time control or safety functions.
Technical view
ATT&CK provides no official detection text and no platform value for the technique itself. Validation should therefore focus on the related ICS assets and mitigations: workstations, HMIs, and jump hosts; user training; web-content restrictions; network intrusion prevention; execution prevention; code signing; and antivirus/antimalware where suitable. SOC and IR teams should verify whether they can reconstruct the chain from file delivery or download, to user action, to script or binary execution, especially for Microsoft Office-style documents, installers, and other files that may contain embedded code. In ICS, testing must account for availability constraints before deploying endpoint controls on critical or real-time systems.
Likely telemetry
- Email security and attachment metadata for spearphishing-style delivery
- Web proxy or secure web gateway logs for downloads and blocked content
- Endpoint process creation and script execution logs on operator/engineering workstations where available
- Application control, script blocking, and code-signing allow/deny events
- Antivirus/antimalware detections and quarantine records on approved ICS assets
Detection direction
- Confirm whether DET0791, Detection of User Execution, is implemented locally and mapped to actual telemetry sources; ATT&CK does not provide the detection logic in the supplied object.
- Tune for the sequence of user-delivered file plus execution, not just the presence of an attachment or download.
- Prioritize visibility on workstations, HMIs, and jump hosts because these are the assets this technique targets in the supplied relationships.
- Review false positives from legitimate engineering tools, vendor installers, maintenance media, and approved document workflows before enforcing blocks in production ICS.
- Validate that network intrusion prevention signatures are placed and configured so they do not disrupt protocols or communications responsible for real-time control or safety.
Mitigation priorities
- Start with role-specific user training focused on suspicious attachments, installers, permission prompts, and social engineering involving ICS operations.
- Restrict web-based content, downloads, attachments, JavaScript, and browser extensions where operationally feasible.
- Use execution prevention such as application control and script blocking for workstations, HMIs, and jump hosts after representative testing.
- Enforce code-signing or digital signature verification for trusted binaries and applications where supported by the environment.
- Deploy antivirus/antimalware only on ICS assets where it has been validated in a representative test environment and will not jeopardize availability.
Analyst notes and limits
The supplied relationships show this technique targeting Workstations, HMIs, and Jump Hosts and being used by several software entries, including Backdoor.Oldrea, REvil, Stuxnet, and Bad Rabbit. Those relationships support prioritizing user-facing ICS assets and remote-management pathways, but they do not prove current exposure or activity in any specific environment.
ATT&CK does not provide official detection details, tactics, or technique-level platforms for T0863 in the supplied fields. Local environment data is required to determine which assets can collect endpoint telemetry, which controls can be safely enforced, and whether existing detections cover the relevant user-action-to-execution chain.
User Execution
Adversaries may rely on a targeted organizations user interaction for the execution of malicious code. User interaction may consist of installing applications, opening email attachments, or granting higher permissions to documents.
Adversaries may embed malicious code or visual basic code into files such as Microsoft Word and Excel documents or software installers. [1] Execution of this code requires that the user enable scripting or write access within the document. Embedded code may not always be noticeable to the user especially in cases of trojanized software. [2]
A Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012 delivered malware through spearphishing attachments which required user action to achieve execution. [3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
S0496: REvil
REvil is a ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ransomware-as-a-service (RaaS) since at least April 2019. REvil, which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.[1][2][3]
S0093: Backdoor.Oldrea
Backdoor.Oldrea is a modular backdoor that used by Dragonfly against energy companies since at least 2013. Backdoor.Oldrea was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.[1][2][3]
S0603: Stuxnet
Stuxnet was the first publicly reported malware to specifically target industrial control systems devices. Stuxnet is a large and complex malware that utilized multiple behaviors, including numerous zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.[1][2][3][4] Stuxnet was discovered in 2010, with some components being used as early as November 2008.[1]
S0606: Bad Rabbit
Bad Rabbit is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. Bad Rabbit has also targeted organizations and consumers in Russia. [1][2][3]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | cb1ec8c6ecfe… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Booz Allen Hamilton
Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.
Open source URL -
[2]
Daavid Hentunen, Antti Tikkanen June 2014
Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01
Open source URL -
[3]
CISA AA21-201A Pipeline Intrusion July 2021
Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08
Open source URL -
[4]
mitre-attack T0863Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.