An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, and .reg.
Adversaries may employ various forms of Masquerading and Obfuscated Files or Information to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs)
While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1204.002 | Malicious File | |
| CM-06 | Configuration Settings | mitigates | T1204.002 | Malicious File | |
| SC-44 | Detonation Chambers | mitigates | T1204.002 | Malicious File | |
| SI-08 | Spam Protection | mitigates | T1204.002 | Malicious File | |
| SI-10 | Information Input Validation | mitigates | T1204.002 | Malicious File | |
| SI-03 | Malicious Code Protection | mitigates | T1204.002 | Malicious File | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1204.002 | Malicious File | |
| CM-02 | Baseline Configuration | mitigates | T1204.002 | Malicious File | |
| CM-07 | Least Functionality | mitigates | T1204.002 | Malicious File | |
| SI-04 | System Monitoring | mitigates | T1204.002 | Malicious File | |
| AC-04 | Information Flow Enforcement | mitigates | T1204.002 | Malicious File | |
| SC-07 | Boundary Protection | mitigates | T1204.002 | Malicious File |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Other | Other | related-to | T1204.002 | Malicious File |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| cloud_ids | Cloud IDS | technique_scores | T1204.002 | Malicious File |
Comments
Often used by adversaries to establish persistence, Palo Alto Network's antivirus signatures is able to detect malware found in portable document formats (PDF).
Although there are ways an attacker could modify the signature and deliver a malicious file, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.
References
|