Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1204: User Execution

An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.

While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.

Adversaries may also deceive users into performing actions such as:

* Enabling Remote Access Tools, allowing direct control of the system to the adversary * Running malicious JavaScript in their browser, allowing adversaries to Steal Web Session Cookies[1][2] * Downloading and executing malware for User Execution * Coerceing users to copy, paste, and execute malicious code manually[3][4]

For example, tech support scams can be facilitated through Phishing, vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or Remote Access Tools.[5]

EnterpriseT1204TechniqueObject v1.8 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

User Execution matters because it turns human trust and routine work into the execution path for adversary code. The business issue is not only phishing awareness; it is whether the organization can prevent, observe, and respond when a user opens a malicious file or link, runs a questionable tool, deploys a malicious cloud/container image, installs a malicious library, or copies and pastes attacker-provided commands.

Executive priority

Treat T1204 as a cross-cutting execution risk that spans endpoints, browsers, email/web delivery paths, cloud images, containers, and developer/package workflows. Leaders should ask whether controls reduce the chance of unsafe user-driven execution, whether SOC teams can see the follow-on behavior after a click or open event, and whether incident response can quickly determine who executed what, from where, and what changed next. This technique is also useful for audit and resilience discussions because the relevant safeguards include user training, web-content restriction, limiting software installation, execution prevention, endpoint behavior prevention, and network intrusion prevention.

Technical view

ATT&CK lists this as an enterprise execution technique across Linux, Windows, macOS, IaaS, and Containers, with sub-techniques for malicious links, files, images, copy-and-paste execution, and libraries. Because MITRE provides no official detection text for the parent technique, teams should validate coverage around behavior chains rather than a single event: document or link interaction, helper or unpacker activity, suspicious child processes or command interpreters, remote access tool enablement, web/session theft indicators where applicable, package/image install or deployment events, and outbound network activity. The related detection strategy DET0478 specifically frames this as a multi-surface chain from documents/links to helper or unpacker, living-off-the-land binary or child process, and egress.

Likely telemetry

  • Email, web proxy, browser, and URL filtering logs for links, downloads, and unsafe web content
  • Endpoint process creation, parent-child process relationships, script execution, and file execution telemetry
  • File and attachment metadata, including user-opened documents, archives, executables, shortcuts, and downloaded files
  • Command and scripting interpreter activity, especially where user copy-and-paste execution is suspected
  • Remote access tool installation, launch, or enablement events

Detection direction

  • Validate behavior-chain detections rather than relying on a single phishing or malware alert: user interaction should be correlated with subsequent process, script, download, tool, or egress activity.
  • Tune detections for suspicious parent-child process relationships after documents, links, browsers, archive tools, or helper applications launch code or command interpreters.
  • For cloud and container environments, confirm whether image provenance, deployment source, and runtime behavior are logged; malicious image execution may not appear in traditional endpoint-only monitoring.
  • For developer and package workflows, confirm visibility into library installation events and repository/package sources; malicious library execution can bypass controls focused only on email attachments or browser downloads.
  • Account for false positives from legitimate software installation, administrative scripting, remote support, developer tooling, and container/image workflows by requiring context such as source, user role, timing, and follow-on network or execution behavior.

Mitigation priorities

  • Start with user training focused on recognizing, reporting, and avoiding social engineering that asks users to open files, click links, enable tools, deploy images, install libraries, or paste commands.
  • Restrict web-based content through filtering, download controls, script controls, and browser/extension governance where appropriate.
  • Limit unauthorized software installation and apply least-privilege principles so user action alone is less likely to introduce unapproved code or tools.
  • Implement execution prevention and application control for unauthorized code, scripts, and binaries across supported endpoint platforms.
  • Use endpoint behavior prevention to block suspicious process, file, API, or script behavior after user interaction.
Analyst notes and limits

The supplied ATT&CK relationships show this technique is broad and materially connected to multiple sub-techniques, including malicious links, files, images, copy-and-paste execution, and libraries. Related examples also include social engineering leading to remote access tool enablement, browser JavaScript abuse, tech support scam delivery, and manually executed code. Campaign, group, and software relationships indicate that ATT&CK has observed this behavior in multiple contexts, but local risk should be assessed from the organization’s own exposure, control coverage, and incident history.

MITRE does not provide official detection guidance for this parent object, so this take relies on the official description, platforms, tactics, external references, and supplied relationships. It does not assert active exploitation against any specific organization, guaranteed detection, or platform coverage beyond the listed ATT&CK platforms and related sub-techniques. Local telemetry availability, control configuration, user roles, and business workflows are required to determine actual coverage and priority.

Official MITRE ATT&CK definition

User Execution

An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.

While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.

Adversaries may also deceive users into performing actions such as:

* Enabling Remote Access Tools, allowing direct control of the system to the adversary * Running malicious JavaScript in their browser, allowing adversaries to Steal Web Session Cookies[1][2] * Downloading and executing malware for User Execution * Coerceing users to copy, paste, and execute malicious code manually[3][4]

For example, tech support scams can be facilitated through Phishing, vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or Remote Access Tools.[5]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

5 rows
Domain ID Name Relationship / procedure
Enterprise T1204.005 Malicious Library Sub-technique Malicious Library subtechnique of this object.
Enterprise T1204.002 Malicious File Sub-technique Malicious File subtechnique of this object.
Enterprise T1204.003 Malicious Image Sub-technique Malicious Image subtechnique of this object.
Enterprise T1204.001 Malicious Link Sub-technique Malicious Link subtechnique of this object.
Enterprise T1204.004 Malicious Copy and Paste Sub-technique Malicious Copy and Paste subtechnique of this object.
Associated objects

Groups, software, and campaigns

Group Enterprise

G1015: Scattered Spider

Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. [1] [2] The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. [2] Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. [3] [4] [5] Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. [6]

Group Enterprise

G1004: LAPSUS$

LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.[1][2][3]

Malware Enterprise

S1130: Raspberry Robin

Raspberry Robin is initial access malware first identified in September 2021, and active through early 2024. The malware is notable for spreading via infected USB devices containing a malicious LNK object that, on execution, retrieves remote hosted payloads for installation. Raspberry Robin has been widely used against various industries and geographies, and as a precursor to information stealer, ransomware, and other payloads such as SocGholish, Cobalt Strike, IcedID, and Bumblebee.[1][2][3] The DLL componenet in the Raspberry Robin infection chain is also referred to as "Roshtyak."[4] The name "Raspberry Robin" is used to refer to both the malware as well as the threat actor associated with its use, although the Raspberry Robin operators are also tracked as Storm-0856 by some vendors.[5]

Windows
Campaign Enterprise

C0037: Water Curupira Pikabot Distribution

Pikabot was distributed in Water Curupira Pikabot Distribution throughout 2023 by an entity linked to BlackBasta ransomware deployment via email attachments. This activity followed the take-down of QakBot, with several technical overlaps and similarities with QakBot, indicating a possible connection. The identified activity led to the deployment of tools such as Cobalt Strike, while coinciding with campaigns delivering DarkGate and IcedID en route to ransomware deployment.[1]

Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1017: User Training Enterprise mitigates · Mitigation M1038: Execution Prevention Enterprise mitigates · Mitigation M1040: Behavior Prevention on Endpoint Enterprise uses · Campaign C0037: Water Curupira Pikabot Distribution Enterprise subtechnique of · Technique T1204.005: Malicious Library Enterprise uses · Group G1015: Scattered Spider Enterprise uses · Group G1004: LAPSUS$ Enterprise mitigates · Mitigation M1021: Restrict Web-Based Content Enterprise detects · Detection Strategy DET0478: User Execution – multi-surface behavior chain (documents/links → helper/unpacker → LOLBIN/child → egress) Enterprise mitigates · Mitigation M1031: Network Intrusion Prevention Enterprise uses · Malware S1213: Lumma Stealer Enterprise mitigates · Mitigation M1033: Limit Software Installation Enterprise uses · Malware S1130: Raspberry Robin Enterprise subtechnique of · Technique T1204.002: Malicious File Enterprise subtechnique of · Technique T1204.003: Malicious Image Enterprise subtechnique of · Technique T1204.001: Malicious Link Enterprise subtechnique of · Technique T1204.004: Malicious Copy and Paste Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1017: User Training

User Training involves educating employees and contractors on recognizing, reporting, and preventing cyber threats that rely on human interaction, such as phishing, social engineering, and other manipulative techniques. Comprehensive training programs create a human firewall by empowering users to be an active component of the organization's cybersecurity defenses. This mitigation can be implemented through the following measures:

Create Comprehensive Training Programs:

- Design training modules tailored to the organization's risk profile, covering topics such as phishing, password management, and incident reporting. - Provide role-specific training for high-risk employees, such as helpdesk staff or executives.

Use Simulated Exercises:

- Conduct phishing simulations to measure user susceptibility and provide targeted follow-up training. - Run social engineering drills to evaluate employee responses and reinforce protocols.

Leverage Gamification and Engagement:

- Introduce interactive learning methods such as quizzes, gamified challenges, and rewards for successful detection and reporting of threats.

Incorporate Security Policies into Onboarding:

- Include cybersecurity training as part of the onboarding process for new employees. - Provide easy-to-understand materials outlining acceptable use policies and reporting procedures.

Regular Refresher Courses:

- Update training materials to include emerging threats and techniques used by adversaries. - Ensure all employees complete periodic refresher courses to stay informed.

Emphasize Real-World Scenarios:

- Use case studies of recent attacks to demonstrate the consequences of successful phishing or social engineering. - Discuss how specific employee actions can prevent or mitigate such attacks.

Mitigation Enterprise

M1038: Execution Prevention

Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures:

Application Control:

- Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution. - Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml"`)

Script Blocking:

- Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources. - Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., `Set-ExecutionPolicy AllSigned`)

Executable Blocking:

- Use Case: Prevent execution of binaries from suspicious locations, such as `%TEMP%` or `%APPDATA%` directories. - Implementation: Block execution of `.exe`, `.bat`, or `.ps1` files from user-writable directories.

Dynamic Analysis Prevention: - Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time. - Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.

Mitigation Enterprise

M1040: Behavior Prevention on Endpoint

Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events. Rather than relying solely on known signatures, this approach leverages heuristics, machine learning, and real-time monitoring to identify anomalous patterns indicative of an attack. This mitigation can be implemented through the following measures:

Suspicious Process Behavior:

- Implementation: Use Endpoint Detection and Response (EDR) tools to monitor and block processes exhibiting unusual behavior, such as privilege escalation attempts. - Use Case: An attacker uses a known vulnerability to spawn a privileged process from a user-level application. The endpoint tool detects the abnormal parent-child process relationship and blocks the action.

Unauthorized File Access:

- Implementation: Leverage Data Loss Prevention (DLP) or endpoint tools to block processes attempting to access sensitive files without proper authorization. - Use Case: A process tries to read or modify a sensitive file located in a restricted directory, such as /etc/shadow on Linux or the SAM registry hive on Windows. The endpoint tool identifies this anomalous behavior and prevents it.

Abnormal API Calls:

- Implementation: Implement runtime analysis tools to monitor API calls and block those associated with malicious activities. - Use Case: A process dynamically injects itself into another process to hijack its execution. The endpoint detects the abnormal use of APIs like `OpenProcess` and `WriteProcessMemory` and terminates the offending process.

Exploit Prevention:

- Implementation: Use behavioral exploit prevention tools to detect and block exploits attempting to gain unauthorized access. - Use Case: A buffer overflow exploit is launched against a vulnerable application. The endpoint detects the anomalous memory write operation and halts the process.

Mitigation Enterprise

M1021: Restrict Web-Based Content

Restricting web-based content involves enforcing policies and technologies that limit access to potentially malicious websites, unsafe downloads, and unauthorized browser behaviors. This can include URL filtering, download restrictions, script blocking, and extension control to protect against exploitation, phishing, and malware delivery. This mitigation can be implemented through the following measures:

Deploy Web Proxy Filtering:

- Use solutions to filter web traffic based on categories, reputation, and content types. - Enforce policies that block unsafe websites or file types at the gateway level.

Enable DNS-Based Filtering:

- Implement tools to restrict access to domains associated with malware or phishing campaigns. - Use public DNS filtering services to enhance protection.

Enforce Content Security Policies (CSP):

- Configure CSP headers on internal and external web applications to restrict script execution, iframe embedding, and cross-origin requests.

Control Browser Features:

- Disable unapproved browser features like automatic downloads, developer tools, or unsafe scripting. - Enforce policies through tools like Group Policy Management to control browser settings.

Monitor and Alert on Web-Based Threats:

- Use SIEM tools to collect and analyze web proxy logs for signs of anomalous or malicious activity. - Configure alerts for access attempts to blocked domains or repeated file download failures.

Mitigation Enterprise

M1033: Limit Software Installation

Prevent users or groups from installing unauthorized or unapproved software to reduce the risk of introducing malicious or vulnerable applications. This can be achieved through allowlists, software restriction policies, endpoint management tools, and least privilege access principles. This mitigation can be implemented through the following measures:

Application Whitelisting

- Implement Microsoft AppLocker or Windows Defender Application Control (WDAC) to create and enforce allowlists for approved software. - Whitelist applications based on file hash, path, or digital signatures.

Restrict User Permissions

- Remove local administrator rights for all non-IT users. - Use Role-Based Access Control (RBAC) to restrict installation permissions to privileged accounts only.

Software Restriction Policies (SRP)

- Use GPO to configure SRP to deny execution of binaries from directories such as `%AppData%`, `%Temp%`, and external drives. - Restrict specific file types (`.exe`, `.bat`, `.msi`, `.js`, `.vbs`) to trusted directories only.

Endpoint Management Solutions

- Deploy tools like Microsoft Intune, SCCM, or Jamf for centralized software management. - Maintain a list of approved software, versions, and updates across the enterprise.

Monitor Software Installation Events

- Enable logging of software installation events and monitor Windows Event ID 4688 and Event ID 11707 for software installs. - Use SIEM or EDR tools to alert on attempts to install unapproved software.

Implement Software Inventory Management

- Use tools like OSQuery or Wazuh to scan for unauthorized software on endpoints and servers. - Conduct regular audits to detect and remove unapproved software.

*Tools for Implementation*

Application Whitelisting:

- Microsoft AppLocker - Windows Defender Application Control (WDAC)

Endpoint Management:

- Microsoft Intune - SCCM (System Center Configuration Manager) - Jamf Pro (macOS) - Puppet or Ansible for automation

Software Restriction Policies:

- Group Policy Object (GPO) - Microsoft Software Restriction Policies (SRP)

Monitoring and Logging:

- Splunk - OSQuery - Wazuh (open-source SIEM and XDR) - EDRs

Inventory Management and Auditing:

- OSQuery - Wazuh

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.8
Created
Modified
Raw hash
61f237cfa163a90e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.8 Current bundle 61f237cfa163…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Talos Roblox Scam 2023

    Tiago Pereira. (2023, November 2). Attackers use JavaScript URLs, API forms and more to scam users in popular online game “Roblox”. Retrieved January 2, 2024.

    Open source URL
  2. [2]
    Krebs Discord Bookmarks 2023

    Brian Krebs. (2023, May 30). Discord Admins Hacked by Malicious Bookmarks. Retrieved January 2, 2024.

    Open source URL
  3. [3]
    Reliaquest-execution

    Reliaquest. (2024, May 31). New Execution Technique in ClearFake Campaign. Retrieved August 2, 2024.

    Open source URL
  4. [4]
    proofpoint-selfpwn

    Tommy Madjar, Dusty Miller, Selena Larson. (2024, June 17). From Clipboard to Compromise: A PowerShell Self-Pwn. Retrieved August 2, 2024.

    Open source URL
  5. [5]
    Telephone Attack Delivery

    Selena Larson, Sam Scholten, Timothy Kromphardt. (2021, November 4). Caught Beneath the Landline: A 411 on Telephone Oriented Attack Delivery. Retrieved January 5, 2022.

    Open source URL
  6. [6]
    mitre-attack T1204
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use