Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Execution/ T1204

T1204User Execution

T1204 — User Execution is a MITRE ATT&CK technique in the Execution tactic. Clankerusecase tracks 29 detection use cases covering it and 2 threat-intel articles citing it.

Execution
View on the matrix → Filter Detection Library MITRE official spec ↗
29Use cases
2Articles
5Sub-techniques
1Tactic

Sub-techniques (5)

T1204.004 · Malicious Copy and PasteT1204.002 · Malicious FileT1204.003 · Malicious ImageT1204.005 · Malicious LibraryT1204.001 · Malicious Link

Use cases covering this technique (29)

CrowdStrike Falcon alert ingested Internal actions · alerting DD AWS Lambda UpdateFunctionCode ESCU actions · hunting P Kubernetes Anomalous Inbound Network Activity from Process ESCU actions · hunting P Kubernetes Anomalous Inbound Outbound Network IO ESCU actions · hunting P Kubernetes Anomalous Inbound to Outbound Network IO Ratio ESCU actions · hunting P Kubernetes Anomalous Outbound Network Activity from Process ESCU actions · hunting P Kubernetes Anomalous Traffic on Network Edge ESCU actions · hunting P Kubernetes Create or Update Privileged Pod ESCU actions · hunting P Kubernetes DaemonSet Deployed ESCU actions · hunting P Kubernetes Falco Shell Spawned ESCU actions · hunting P Kubernetes newly seen TCP edge ESCU actions · hunting P Kubernetes newly seen UDP edge ESCU actions · hunting P Kubernetes Node Port Creation ESCU actions · hunting P Kubernetes Pod Created in Default Namespace ESCU actions · hunting P Kubernetes Pod With Host Network Attachment ESCU actions · hunting P Kubernetes Previously Unseen Container Image Name ESCU actions · hunting P Kubernetes Previously Unseen Process ESCU actions · hunting P Kubernetes Process Running From New Path ESCU actions · hunting P Kubernetes Process with Anomalous Resource Utilisation ESCU actions · hunting P Kubernetes Process with Resource Ratio Anomalies ESCU actions · hunting P Kubernetes Shell Running on Worker Node ESCU actions · hunting P Kubernetes Shell Running on Worker Node with CPU Activity ESCU actions · hunting P Kubernetes Unauthorized Access ESCU actions · hunting P Clop Common Exec Parameter ESCU actions · alerting P Conti Common Exec parameter ESCU actions · alerting P Detect Rare Executables ESCU actions · hunting P Revil Common Exec Parameter ESCU actions · alerting P Cisco Secure Firewall - Lumma Stealer Activity ESCU actions · alerting P [LLM] AI coding agent (Claude Code / Cursor / Codex) spawning shell that fetch-and-executes remote payload Bespoke install · alerting DSΣPDDCS

Articles citing this technique (2)

high Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code art-28
crit OceanLotus: From external espionage to domestic targeting art-54