{ "type": "bundle", "id": "bundle--32c2b0eb-e34f-47cf-82c0-e3d639a29a5a", "spec_version": "2.0", "objects": [ { "modified": "2023-03-09T18:38:51.471Z", "name": "User Execution", "description": "Adversaries may rely on a targeted organizations user interaction for the execution of malicious code. User interaction may consist of installing applications, opening email attachments, or granting higher permissions to documents. \n\nAdversaries may embed malicious code or visual basic code into files such as Microsoft Word and Excel documents or software installers. (Citation: Booz Allen Hamilton) Execution of this code requires that the user enable scripting or write access within the document. Embedded code may not always be noticeable to the user especially in cases of trojanized software. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) \n\nA Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012 delivered malware through spearphishing attachments which required user action to achieve execution. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "execution" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "Engineering Workstation", "Human-Machine Interface" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ "Application Log: Application Log Content", "Process: Process Creation", "Network Traffic: Network Connection Creation", "Network Traffic: Network Traffic Content", "Command: Command Execution", "File: File Access" ], "type": "attack-pattern", "id": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0863", "external_id": "T0863" }, { "source_name": "Booz Allen Hamilton", "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" }, { "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", "url": "https://www.f-secure.com/weblog/archives/00002718.html" }, { "source_name": "CISA AA21-201A Pipeline Intrusion July 2021", "description": "Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ", "url": "https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] } ] }