用户执行

Sub-techniques (3)

ID	Name
T1204.001	多阶段诱导式动态载荷执行
T1204.002	文档隐写式触发执行
T1204.003	环境感知型延迟触发执行

用户执行是指攻击者通过社会工程等手段诱导目标用户主动运行恶意代码的攻击技术，通常作为初始访问或权限提升的重要手段。传统防御措施主要依赖检测异常进程创建、监控敏感命令行参数、分析文档宏行为特征等方法，结合终端防护软件进行实时拦截。然而随着攻击者匿迹技术的演进，单纯依赖静态特征检测或单点行为分析的防御策略面临失效风险。

为规避传统检测机制，现代用户执行攻击呈现深度场景融合与动态行为适配特征。攻击者通过解构恶意代码执行链，将其嵌入合法软件操作流程，并引入环境感知与智能触发机制，构建出"表面合规、内在恶意"的新型攻击范式。现有匿迹技术的核心突破在于建立攻击行为与正常业务操作的深度关联性：多阶段诱导式攻击通过分步授权机制逐步瓦解用户戒备；文档隐写技术则突破传统文件格式限制，实现零交互触发；环境感知机制确保攻击行为仅在安全监控盲区激活。这些技术的共性在于突破传统"恶意-合法"的二元对立范式，通过多维度的行为特征融合与动态环境适配，使得攻击链每个环节都具备表面合法性。

匿迹技术的升级迫使防御体系向多维行为建模方向演进，需构建用户行为基线分析、软件操作链完整性校验、动态环境风险评估等新型检测能力，同时强化终端防护系统的上下文感知与协同分析能力，才能有效应对深度隐蔽的用户执行攻击。

ID: T1204

Sub-techniques: T1204.001, T1204.002, T1204.003

ⓘ

Tactic: 攻击执行

ⓘ

Platforms: Containers, IaaS, Linux, Windows, macOS

Contributors: Ale Houspanossian; Fernando Bacchin; Harikrishnan Muthu, Cyble; Menachem Goldstein; Oleg Skulkin, Group-IB; ReliaQuest

Version: 1.7

Created: 18 April 2018

Last Modified: 11 November 2024

匿迹效应

效应类型	是否存在
特征伪装	✅
行为透明	❌
数据遮蔽	✅
时空释痕	✅

特征伪装

攻击者通过深度仿冒合法软件功能链、伪造数字签名、匹配正常文档格式标准等手段，使恶意载荷在文件特征、进程行为、网络通信等维度与合法对象高度一致。例如将恶意代码嵌入经过签名的安装程序，或构造符合行业规范的办公文档，使得传统基于特征库匹配的检测机制失效。

数据遮蔽

采用多层加密和隐写技术保护恶意载荷，例如在文档中通过Unicode控制字符嵌入加密代码段，或利用网络协议冗余字段传输控制指令。部分高级变种使用TLS加密通道与C2服务器通信，并结合流量伪装技术模仿合法云服务交互，有效遮蔽攻击链关键数据特征。

时空释痕

通过动态加载和延迟触发恶意代码的匿迹手段，攻击者有效稀释了攻击行为在时间和空间上的特征。动态加载和延迟触发恶意代码使攻击行为在文件执行后并非立即显现，分散了攻击特征，从而降低了防御系统的实时检测能力，增加了防御方检测用户执行攻击的难度。

Procedure Examples

ID	Name	Description
G1004	LAPSUS$	LAPSUS$ has recruited target organization employees or contractors who provide credentials and approve an associated MFA prompt, or install remote management software onto a corporate workstation, allowing LAPSUS$ to take control of an authenticated system.^[1]
S1130	Raspberry Robin	Raspberry Robin execution can rely on users directly interacting with malicious LNK files.^[2]
G1015	Scattered Spider	Scattered Spider has impersonated organization IT and helpdesk staff to instruct victims to execute commercial remote access tools to gain initial access.^[3]
C0037	Water Curupira Pikabot Distribution	Water Curupira Pikabot Distribution requires users to interact with malicious attachments in order to start Pikabot installation.^[4]

Mitigations

ID	Mitigation	Description
M1040	Behavior Prevention on Endpoint	On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent executable files from running unless they meet a prevalence, age, or trusted list criteria and to prevent Office applications from creating potentially malicious executable content by blocking malicious code from being written to disk. Note: cloud-delivered protection must be enabled to use certain rules. ^[5]
M1038	Execution Prevention	Application control may be able to prevent the running of executables masquerading as other files.
M1031	Network Intrusion Prevention	If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity.
M1021	Restrict Web-Based Content	If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files.
M1017	User Training	Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.

Detection

ID	Data Source	Data Component	Detects
DS0015	Application Log	Application Log Content	Monitor logs from applications to detect user-initiated actions such as opening malicious documents, clicking on phishing links, or executing downloaded malware. Analytic 1 - Logs showing unexpected user actions triggering unusual processes. `sourcetype=application_log EventCode=1000 OR EventCode=1001\| search application IN ("winword.exe", "excel.exe", "chrome.exe", "firefox.exe", "adobe.exe", "zip.exe")\| stats count by application event_description\| where event_description IN ("opened document", "clicked link", "executed file")`
DS0017	Command	Command Execution	Detect commands triggered by users, especially related to decompression tools (e.g., zip files) that may unpack malicious payloads. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads. Analytic 1 - Command lines showing decompression or decoding actions. `sourcetype=WinEventLog:Powershell EventCode=4104\| search process_name IN ("powershell.exe", "cmd.exe", "zip.exe", "winrar.exe")\| stats count by process_name command_line user\| where command_line LIKE "%unzip%" OR command_line LIKE "%decode%"`
DS0032	Container	Container Creation	Monitor for newly constructed containers that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Analytic 1 - Containers communicating with unexpected external services. `sourcetype=container_creation OR sourcetype=container_start\| stats count by container_name event_description user\| where container_name NOT IN ("") AND event_description IN ("created", "started")`
		Container Start	Monitor for the activation or invocation of a container (ex: docker start or docker restart)
DS0022	File	File Creation	Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).
DS0007	Image	Image Creation	Monitor for newly constructed image that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.
DS0030	Instance	Instance Creation	Monitor for newly constructed instances that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.
		Instance Start	Monitor for the activation or invocation of an instance (ex: instance.start within GCP Audit Logs)
DS0029	Network Traffic	Network Connection Creation	Monitor network traffic patterns associated with web-based user actions, such as clicking on phishing links or executing malware that tries to establish C2 communication. Analytic 1 - Web-based network connections to suspicious destinations. `sourcetype=sysmon EventCode=3\| search process_name IN ("winword.exe", "chrome.exe", "firefox.exe") \| stats count by src_ip dest_ip dest_port process_name\| where dest_ip NOT IN ("")`
		Network Traffic Content	Monitor and analyze traffic patterns and packet inspection associated with web-based network connections that are sent to malicious or suspicious detinations (e.g. destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g. monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, .SCF, HTA, MSI, DLLs, or msiexec.exe).
DS0009	Process	Process Creation	Identify processes spawned by user actions, especially from Office documents, PDFs, or web browsers that could lead to malicious execution. Analytic 1 - Processes created from user interaction with files. `((sourcetype=WinEventLog:Security EventCode=4688) OR (sourcetype=Sysmon EventCode=1))\| search parent_process IN ("winword.exe", "excel.exe", "chrome.exe", "firefox.exe")\| stats count by parent_process process_name command_line user\| where process_name NOT IN ("chrome.exe", "firefox.exe", "winword.exe", "excel.exe")`