title: User Execution (T1204) id: df00tech-t1204 status: experimental description: "Adversaries rely on specific actions by a user to gain execution. Users are subjected to social engineering to execute malicious code by opening malicious document files, clicking links, running copy-pasted commands, or installing remote access tools under false pretenses. This technique frequently follows phishing (T1566) and encompasses a wide range of deceptive methods including malicious Office documents spawning shells, fake CAPTCHAs instructing users to paste PowerShell into Run dialogs (ClickFix/ClearFake), tech support scams prompting RAT installation, and malicious LNK files on removable media. Threat groups including Scattered Spider, LAPSUS$, and malware families like Lumma Stealer and Raspberry Robin rely heavily on user-initiated execution to bypass automated defenses." references: - https://attack.mitre.org/techniques/T1204/ - https://df00tech.com/detections/T1204 author: df00tech date: 2026/04/19 tags: - attack.t1204 # NOTE: logsource is auto-derived and may need adjustment for your environment logsource: category: process_creation product: windows detection: # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech. selection: EventID: '*' condition: selection falsepositives: - "Legitimate IT-deployed remote access tools (AnyDesk, TeamViewer, ScreenConnect) installed by helpdesk staff — these should appear with MSI/SCCM parent processes rather than browsers or explorer.exe" - Developers running scripts directly from their Downloads or Desktop folder — allowlist known developer workstations or specific AccountNames with documented exceptions - Office macros used by finance or operations teams for legitimate automation — document and allowlist specific macro-enabled workbooks and the user accounts that run them - "Browser-spawned update helpers or credential managers that briefly launch from AppData\\Roaming — build a baseline of expected binaries per application" level: high