T1204.002 Malicious File Mappings

Intel Threat Detection Technology's (Intel TDT) Accelerated Memory Scanning (AMS) enables efficient memory scanning by offloading these operations to the integrated Graphics Processor Unit (integrated GPU) on Intel client SoCs. Microsoft Defender Antivirus leverages AMS to optimize the detection of polymorphic and fileless attacks, improving resource efficiency and reducing the performance impact on the Central Processing Unit (CPU). Intel Threat Detection Technology (TDT), combined with CrowdStrike's Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time protection of Malicious File execution. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact. Malicious file attacks typically involve adversaries delivering malicious payloads disguised as legitimate files (e.g., documents, software, or attachments). When a user opens or executes the file, it triggers malicious behavior, such as malware installation, data theft, or system compromise. Intel TDT plays a crucial role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, enabling the rapid detection of suspicious behaviors, such as the execution of unauthorized or malicious files that could indicate exploitation. Additionally, CAMS offloads the memory scanning workload from the CPU to the Intel Integrated GPU, allowing for faster and more efficient detection of malicious activities without degrading system performance. CAMS helps identify suspicious behaviors, such as unauthorized file executions or attempts to run malicious code, providing proactive defense against this widespread and highly evasive attack vector.

Intel Threat Detection Technology's (Intel TDT) Accelerated Memory Scanning (AMS) enables efficient memory scanning by offloading these operations to the integrated Graphics Processor Unit (integrated GPU) on Intel client SoCs. Microsoft Defender Antivirus leverages AMS to optimize the detection of polymorphic and fileless attacks, improving resource efficiency and reducing the performance impact on the Central Processing Unit (CPU). Intel Threat Detection Technology (TDT), combined with CrowdStrike's Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time protection of Malicious File execution. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact. Malicious file attacks typically involve adversaries delivering malicious payloads disguised as legitimate files (e.g., documents, software, or attachments). When a user opens or executes the file, it triggers malicious behavior, such as malware installation, data theft, or system compromise. Intel TDT plays a crucial role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, enabling the rapid detection of suspicious behaviors, such as the execution of unauthorized or malicious files that could indicate exploitation. Additionally, CAMS offloads the memory scanning workload from the CPU to the Intel Integrated GPU, allowing for faster and more efficient detection of malicious activities without degrading system performance. CAMS helps identify suspicious behaviors, such as unauthorized file executions or attempts to run malicious code, providing proactive defense against this widespread and highly evasive attack vector.

Intel Threat Detection Technology's (Intel TDT) Accelerated Memory Scanning (AMS) enables efficient memory scanning by offloading these operations to the integrated Graphics Processor Unit (integrated GPU) on Intel client SoCs. Microsoft Defender Antivirus leverages AMS to optimize the detection of polymorphic and fileless attacks, improving resource efficiency and reducing the performance impact on the Central Processing Unit (CPU). Intel Threat Detection Technology (TDT), combined with CrowdStrike's Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of Malicious File execution. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact. Malicious file attacks typically involve adversaries delivering malicious payloads disguised as legitimate files (e.g., documents, software, or attachments). When a user opens or executes the file, it triggers malicious behavior, such as malware installation, data theft, or system compromise. Intel TDT plays a crucial role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, enabling the rapid detection of suspicious behaviors, such as the execution of unauthorized or malicious files that could indicate exploitation. Additionally, CAMS offloads the memory scanning workload from the CPU to the Intel Integrated GPU, allowing for faster and more efficient detection of malicious activities without degrading system performance. CAMS helps identify suspicious behaviors, such as unauthorized file executions or attempts to run malicious code, providing proactive defense against this widespread and highly evasive attack vector.

Intel Threat Detection Technology's (Intel TDT) Accelerated Memory Scanning (AMS) enables efficient memory scanning by offloading these operations to the integrated Graphics Processor Unit (integrated GPU) on Intel client SoCs. Microsoft Defender Antivirus leverages AMS to optimize the detection of polymorphic and fileless attacks, improving resource efficiency and reducing the performance impact on the Central Processing Unit (CPU). Intel Threat Detection Technology (TDT), combined with CrowdStrike's Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of Malicious File execution. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact. Malicious file attacks typically involve adversaries delivering malicious payloads disguised as legitimate files (e.g., documents, software, or attachments). When a user opens or executes the file, it triggers malicious behavior, such as malware installation, data theft, or system compromise. Intel TDT plays a crucial role in identifying these threats by providing real-time telemetry on program execution, memory access, and control flow, enabling the rapid detection of suspicious behaviors, such as the execution of unauthorized or malicious files that could indicate exploitation. Additionally, CAMS offloads the memory scanning workload from the CPU to the Intel Integrated GPU, allowing for faster and more efficient detection of malicious activities without degrading system performance. CAMS helps identify suspicious behaviors, such as unauthorized file executions or attempts to run malicious code, providing proactive defense against this widespread and highly evasive attack vector.

This vulnerability is exploited by a maliciously-crafted .swf file which can be run on a user system.

This zero-day vulnerability presents itself after an adversary has already infiltrated the victim's network and enables the adversary to obtain SYSTEM level privileges via Microsoft Windows Hyper-V product. As of now, details of how the attacker's methods to exploit this vulnerability are undisclosed.

This vulnerability is exploited via embedded javascript within a user-executed malicious pdf. There are two mapped exploitation_technqiues for this CVE.

This vulnerability is exploited via a malicious PDF file in order to execute arbitrary code.

The exploitation technique for this vulnerability is based on a vulnerability in Client software. In the wild, this was seen to be exploited by a malicious excel file. The observed goals of this exploit from Group 123 are remote access and data exfiltration.

This exploit requires a user to open a malicious file. It can then result in execution of arbitrary code which could have any number of impacts.

This exploit requires a user to open a malicious file. It can then result in execution of arbitrary code which could have any number of impacts.

The vulnerability is exploited by a user opening a maliciously-crafted file. Reporting on in-the-wild exploitation indicates threat actor utilize this vulnerability to install command and control software on the target system. Adversaries seen exploiting this vulnerability were also observed to do a version check on the target software before attempting the exploitation.

This use-after-free vulnerability is exploited by having the user open a maliciously-crafted file. This CVE was observed to be exploited by the threat actor known as BlackOasis.

This vulnerability is exploited through a user opening a maliciously-crafted pdf file or swf file.

This vulnerability is exploited by having a user open a maliciously-crafted pdf file, which can result in arbitrary code execution.

This vulnerability is exploited by having the user open a maliciously-crafted pdf file. In the wild, this has been observed to result in a malicious actor installing a custom executable on the victim's machine, and establishing communications.

This vulnerability is exploited by having a user open a maliciously-crafted pdf file.

This vulnerability is exploited by having a user open a maliciously-crafted pdf file.

This vulnerability is exploited by having the user open a malicious pdf file to achieve arbitrary code execution.

This vulnerability is exploited by the user opening a malicious pdf file to achieve arbitrary code execution.

This vulnerability is exploited through a user opening a malicious PDF file.

This vulnerability is exploit through a maliciously crafted Word document, which downloads html that then runs commands on the target machine and has been seen to download additional payloads on target machines.

This vulnerability is exploited via a maliciously-crafted pdf file.

This buffer overflow vulnerability is exploited via malicious-crafted pdf files delivered via targeted emails. Adversaries use this exploit to deliver a remote administration tool with the goal of data exfiltration.

This vulnerability is exploited via a maliciously-crafted file.

This vulnerability is exploited using a malicious-crafted word document attached to spearphishing emails. Adversaries have been seen to leverage this to install exploit code from their command & control server. This malware then performs data collection on the target systems.

This vulnerability is exploited via a maliciously-crafted Word document, which then extracts the adversary's RAT tool.

This vulnerability is exploited by crafted swf content via drive-by compromise when a user visits a malicious website. This vulnerability is also exploited via user execution of a maliciously crafted pdf file. In the wild, threat actors have used this to download malicious software onto the target system.

This heap-based buffer overflow vulnerability is exploited by having a user open a maliciously-crafted file. In the wild, this exploitation has been used in order to establish command and control (over HTTP) with a target system. The command and control functionality has also been seen to employ debugging/sandboxing evasion.

This vulnerability is exploited by having a user execute a maliciously-crafted word document or pdf file that has embedded swf. The malicious code then downloads another payload to the target machine.

This vulnerability is exploited by having a user execute a maliciously-crafted word document that has embedded swf. The embedded swf can download additional malicious software from the web.

This vulnerability is exploited by the user opening a maliciously-crafted .swf file.

CVE-2023-21715 is a security feature bypass vulnerability exploitable when a user opens a specially-crafted file bypassing macro policies.

This vulnerability is exploited when a user is tricked by an adversary to open a maliciously crafted file either via an email or malicious website. Once the user opens the file, an adversary gains the ability to execute arbitrary code the next time the victim restarts their computer and logs in.

This remote code execution vulnerability in Microsoft Office has been exploited by adversarial groups to distribute ransomware. Attackers use specially crafted Microsoft Office documents to bypass security features, enabling remote code execution without user prompts. These documents are typically delivered through phishing techniques, enticing victims to open them. Once opened, the ransomware encrypts files and demands a ransom for decryption, while also removing system backups and leaving a ransom note threatening data loss if recovery is attempted without the provided decryptor key. The ransomware further erases system logs and may publish stolen data on leak websites, leading to unauthorized access to sensitive information and potential installation of backdoors for further exploitation. Microsoft addressed this vulnerability in their security updates by introducing measures to make file paths unpredictable, thereby mitigating the exploit chain. Despite these updates, additional vulnerabilities in Microsoft Office and Windows were identified. Security solutions offer protection against these exploits, and findings are shared with cybersecurity alliances to enhance collective defense efforts. This vulnerability has been exploited by the Russian group Storm-0978, also known as RomCom, who craft specially designed Microsoft Office documents related to the Ukrainian World Congress. These documents bypass Microsoft's Mark-of-the-Web (MotW) security feature, enabling remote code execution without security prompts. The adversary used phishing techniques to deliver these documents, enticing victims to open them. Once opened, the ransomware, known as Underground, executes, encrypting files and demanding a ransom for decryption. The ransomware further removes shadow copies, terminates MS SQL Server services, and leaves a ransom note threatening data loss if recovery is attempted without their decryptor key. It also erases Windows Event logs and publishes stolen victim data on a data leak website, causing unauthorized access to sensitive information and potential installation of backdoors for further exploitation.

This vulnerability is exploited via a maliciously-crafted MP4 file. As a result of the exploit, malicious software is installed on the target machine.