T1204.002 Malicious File Mappings

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.

Adversaries may employ various forms of Masquerading on the file to increase the likelihood that a user will open it.

While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-16 Security and Privacy Attributes Protects T1204.002 Malicious File
AC-17 Remote Access Protects T1204.002 Malicious File
AC-2 Account Management Protects T1204.002 Malicious File
AC-21 Information Sharing Protects T1204.002 Malicious File
AC-23 Data Mining Protection Protects T1204.002 Malicious File
AC-3 Access Enforcement Protects T1204.002 Malicious File
AC-4 Information Flow Enforcement Protects T1204.002 Malicious File
AC-6 Least Privilege Protects T1204.002 Malicious File
CA-7 Continuous Monitoring Protects T1204.002 Malicious File
CM-2 Baseline Configuration Protects T1204.002 Malicious File
CM-3 Configuration Change Control Protects T1204.002 Malicious File
CM-5 Access Restrictions for Change Protects T1204.002 Malicious File
CM-6 Configuration Settings Protects T1204.002 Malicious File
CM-7 Least Functionality Protects T1204.002 Malicious File
CM-8 System Component Inventory Protects T1204.002 Malicious File
SC-28 Protection of Information at Rest Protects T1204.002 Malicious File
SC-44 Detonation Chambers Protects T1204.002 Malicious File
SC-7 Boundary Protection Protects T1204.002 Malicious File
SI-10 Information Input Validation Protects T1204.002 Malicious File
SI-3 Malicious Code Protection Protects T1204.002 Malicious File
SI-4 System Monitoring Protects T1204.002 Malicious File
SI-7 Software, Firmware, and Information Integrity Protects T1204.002 Malicious File
SI-8 Spam Protection Protects T1204.002 Malicious File
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1204.002 Malicious File
adaptive_application_controls Adaptive Application Controls technique_scores T1204.002 Malicious File
microsoft_antimalware_for_azure Microsoft Antimalware for Azure technique_scores T1204.002 Malicious File
microsoft_antimalware_for_azure Microsoft Antimalware for Azure technique_scores T1204.002 Malicious File