Threat actors may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.