User Execution
An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing. While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing. Adversaries may also deceive users into performing actions such as: * Enabling Remote Access Software, allowing direct control of the system to the adversary * Running malicious JavaScript in their browser, allowing adversaries to Steal Web Session Cookies * Downloading and executing malware for User Execution * Coerceing users to copy, paste, and execute malicious code manually For example, tech support scams can be facilitated through Phishing, vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or Remote Access Software.
Open detection, hunting, mitigation, and evidence workspace
Detection logic
Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain Initial Access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads. Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).
Observed actors
Correlated CTI and IR reports
Andrey Pautov · direct source mappingAPT39 (Chafer / Remix Kitten)
Israel Threat Actors CTI · explicit report mentionCTI Research: Handala Hack Group (aka Handala Hack Team)
1200km CTI repository · explicit report mentionCTI Research: Handala Hack Group (aka Handala Hack Team)
1200km CTI repository · explicit report mentionExecutive Summary
Israel Threat Actors CTI · explicit report mentionOilRig (APT34 / Helix Kitten / Earth Simnavaz etc)
Israel Threat Actors CTI · explicit report mentionCTI Research Handala Hack Group aka Handala Hack Team
1200km Medium · authored report mentionCorrelation Based Detection Rules in Cybersecurity From Atomic Events to Behavioral Insight
1200km Medium · authored report mentionSingle Event Detection Rules in Cybersecurity
1200km Medium · authored report mention