MITRE ATT&CK Technique
Description
An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566). While [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534). Adversaries may also deceive users into performing actions such as: * Enabling [Remote Access Tools](https://attack.mitre.org/techniques/T1219), allowing direct control of the system to the adversary * Running malicious JavaScript in their browser, allowing adversaries to [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)s(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023) * Downloading and executing malware for [User Execution](https://attack.mitre.org/techniques/T1204) * Coerceing users to copy, paste, and execute malicious code manually(Citation: Reliaquest-execution)(Citation: proofpoint-selfpwn) For example, tech support scams can be facilitated through [Phishing](https://attack.mitre.org/techniques/T1566), vishing, or various forms of user interaction. Adversaries can use a combination of these methods, such as spoofing and promoting toll-free numbers or call centers that are used to direct victims to malicious websites, to deliver and execute payloads containing malware or [Remote Access Tools](https://attack.mitre.org/techniques/T1219).(Citation: Telephone Attack Delivery)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2018-04-18T17:59:24.739Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'An adversary may rely upon specific actions by a user in '
'order to gain execution. Users may be subjected to social '
'engineering to get them to execute malicious code by, for '
'example, opening a malicious document file or link. These '
'user actions will typically be observed as follow-on behavior '
'from forms of '
'[Phishing](https://attack.mitre.org/techniques/T1566).\n'
'\n'
'While [User '
'Execution](https://attack.mitre.org/techniques/T1204) '
'frequently occurs shortly after Initial Access it may occur '
'at other phases of an intrusion, such as when an adversary '
"places a file in a shared directory or on a user's desktop "
'hoping that a user will click on it. This activity may also '
'be seen shortly after [Internal '
'Spearphishing](https://attack.mitre.org/techniques/T1534).\n'
'\n'
'Adversaries may also deceive users into performing actions '
'such as:\n'
'\n'
'* Enabling [Remote Access '
'Tools](https://attack.mitre.org/techniques/T1219), allowing '
'direct control of the system to the adversary\n'
'* Running malicious JavaScript in their browser, allowing '
'adversaries to [Steal Web Session '
'Cookie](https://attack.mitre.org/techniques/T1539)s(Citation: '
'Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks '
'2023)\n'
'* Downloading and executing malware for [User '
'Execution](https://attack.mitre.org/techniques/T1204)\n'
'* Coerceing users to copy, paste, and execute malicious code '
'manually(Citation: Reliaquest-execution)(Citation: '
'proofpoint-selfpwn)\n'
'\n'
'For example, tech support scams can be facilitated through '
'[Phishing](https://attack.mitre.org/techniques/T1566), '
'vishing, or various forms of user interaction. Adversaries '
'can use a combination of these methods, such as spoofing and '
'promoting toll-free numbers or call centers that are used to '
'direct victims to malicious websites, to deliver and execute '
'payloads containing malware or [Remote Access '
'Tools](https://attack.mitre.org/techniques/T1219).(Citation: '
'Telephone Attack Delivery)',
'external_references': [{'external_id': 'T1204',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1204'},
{'description': 'Brian Krebs. (2023, May 30). Discord '
'Admins Hacked by Malicious '
'Bookmarks. Retrieved January 2, '
'2024.',
'source_name': 'Krebs Discord Bookmarks 2023',
'url': 'https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/'},
{'description': 'Reliaquest. (2024, May 31). New '
'Execution Technique in ClearFake '
'Campaign. Retrieved August 2, 2024.',
'source_name': 'Reliaquest-execution',
'url': 'https://www.reliaquest.com/blog/new-execution-technique-in-clearfake-campaign/'},
{'description': 'Selena Larson, Sam Scholten, Timothy '
'Kromphardt. (2021, November 4). '
'Caught Beneath the Landline: A 411 '
'on Telephone Oriented Attack '
'Delivery. Retrieved January 5, 2022.',
'source_name': 'Telephone Attack Delivery',
'url': 'https://www.proofpoint.com/us/blog/threat-insight/caught-beneath-landline-411-telephone-oriented-attack-delivery'},
{'description': 'Tiago Pereira. (2023, November 2). '
'Attackers use JavaScript URLs, API '
'forms and more to scam users in '
'popular online game “Roblox”. '
'Retrieved January 2, 2024.',
'source_name': 'Talos Roblox Scam 2023',
'url': 'https://blog.talosintelligence.com/roblox-scam-overview/'},
{'description': 'Tommy Madjar, Dusty Miller, Selena '
'Larson. (2024, June 17). From '
'Clipboard to Compromise: A '
'PowerShell Self-Pwn. Retrieved '
'August 2, 2024.',
'source_name': 'proofpoint-selfpwn',
'url': 'https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn'}],
'id': 'attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'execution'}],
'modified': '2025-10-24T17:49:04.940Z',
'name': 'User Execution',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Oleg Skulkin, Group-IB',
'Menachem Goldstein',
'Harikrishnan Muthu, Cyble',
'ReliaQuest',
'Ale Houspanossian',
'Fernando Bacchin'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'Windows', 'macOS', 'IaaS', 'Containers'],
'x_mitre_version': '1.8'}