T1204.002: Malicious File
| View on MITRE ATT&CK | T1204.002 |
|---|---|
| Tactic(s) | Execution |
Data from MITRE ATT&CK®:
An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.
Adversaries may employ various forms of Masquerading and Obfuscated Files or Information to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs)
While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
Earth Lusca Uses Geopolitical Lure to Target Taiwan Before Elections
Blog post from researchers at Trend Micro discussing Earth Lusca and potential links to Chinese contractor I-Soon. Earth Lusca is a China-linked ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
Threat Group FIN7 Targets the U.S. Automotive Industry
In late 2023, BlackBerry analysts discovered a targeted attack by FIN7 on a U.S. automotive manufacturer, exploiting IT employees with higher ...
From OneNote to RansomNote: An Ice Cold Intrusion
This case report from The DFIR Report describes an intrusion which started with a malicious OneNote attachment. Opening the OneNote file led to ...
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
This article by researchers at Trend Micro discusses an Advanced Persistent Threat (APT) group they name Earth Krahang who have been observed ...
The Updated APT Playbook: Tales from the Kimsuky threat actor group
This article by researchers at Rapid7 discusses recent activity by North Korean intrusion set 'Kimsuky'. Kimsuky is primarily focused on ...
Detailed Analysis of DarkGate
This post on Medium by S2W presents a technical analysis of DarkGate malware and the operator behind it. According to the report, DarkGate is a ...
Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence
The blog entry details an investigation by Trend Micro's Managed Extended Detection and Response (MDR) team into a cyberespionage incident ...
REDCURL - The pentest you didn't know about
This report by researchers at Group-IB outlines activity by a group they call RedCurl. The report identifies victimology and motivation (corporate ...
StopRansomware: Phobos Ransomware
This is a joint Cybersecurity Advisory produced by CISA, the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC). It ...
Earth Preta Campaign Uses DOPLUGS to Target Asia
This blog post by researchers from Trend Micro describes the use of a customized PlugX backdoor which they name DOPLUGS. The DOPLUGS malware uses ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Execution Prevention
Block execution of code on a system through application control, and/or script blocking.User Training
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.Behavior Prevention on Endpoint
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.How to detect this technique
MITRE ATT&CK Data Components
Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
OSTAP JS version
Office Generic Payload Download
Office launching .bat file from AppData
Excel 4 Macro
Maldoc choice flags command execution
Mirror Blast Emulation
LNK Payload Download
OSTap Payload Download
Headless Chrome code execution via VBA
OSTap Style Macro Execution
Potentially Unwanted Applications (PUA)
Sigma Detections for this Technique
Remote DLL Load Via Rundll32.EXE
Download From Suspicious TLD - Blacklist
Microsoft VBA For Outlook Addin Loaded Via Outlook
Download From Suspicious TLD - Whitelist
HackTool - LittleCorporal Generated Maldoc Injection
Active Directory Kerberos DLL Loaded Via Office Application
Suspicious WMIC Execution Via Office Process
File With Uncommon Extension Created By An Office Application
Suspicious WmiPrvSE Child Process
Suspicious Outlook Child Process
Flash Player Update from Suspicious Location
Suspicious Microsoft Office Child Process - MacOS
New Application in AppCompat
Active Directory Parsing DLL Loaded Via Office Application
GAC DLL Loaded Via Office Applications
Suspicious Microsoft Office Child Process
VBA DLL Loaded Via Office Application
File Was Not Allowed To Run
Microsoft Excel Add-In Loaded From Uncommon Location
DotNET Assembly DLL Loaded Via Office Application
CLR DLL Loaded Via Office Applications
Suspicious Binary In User Directory Spawned From Office Application
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.