T1204.002 Malicious File Mappings

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.

Adversaries may employ various forms of Masquerading and Obfuscated Files or Information to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs)

While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-04 Information Flow Enforcement Protects T1204.002 Malicious File
CA-07 Continuous Monitoring Protects T1204.002 Malicious File
CM-02 Baseline Configuration Protects T1204.002 Malicious File
CM-06 Configuration Settings Protects T1204.002 Malicious File
CM-07 Least Functionality Protects T1204.002 Malicious File
SC-44 Detonation Chambers Protects T1204.002 Malicious File
SC-07 Boundary Protection Protects T1204.002 Malicious File
SI-10 Information Input Validation Protects T1204.002 Malicious File
SI-03 Malicious Code Protection Protects T1204.002 Malicious File
SI-04 System Monitoring Protects T1204.002 Malicious File
SI-07 Software, Firmware, and Information Integrity Protects T1204.002 Malicious File
SI-08 Spam Protection Protects T1204.002 Malicious File
EOP-Antimalware-E3 Antimalware Technique Scores T1204.002 Malicious File
M365-DEF-ZAP-E3 Zero Hour Auto Purge Technique Scores T1204.002 Malicious File
DEF-SecScore-E3 Secure Score Technique Scores T1204.002 Malicious File
DEF-SA-E3 Safe Attachments Technique Scores T1204.002 Malicious File
DEF-SA-E3 Safe Attachments Technique Scores T1204.002 Malicious File
DEF-Quarantine-E3 Quarantine Policies Technique Scores T1204.002 Malicious File
DEF-SIM-E5 ATT&CK Simulation Training Technique Scores T1204.002 Malicious File
DEF-SIM-E5 ATT&CK Simulation Training Technique Scores T1204.002 Malicious File
DEF-AIR-E5 Automated Investigation and Response Technique Scores T1204.002 Malicious File