Home
ATT&CK Techniques
T1204.002 Malicious File

T1204.002 Malicious File Mappings

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.

Adversaries may employ various forms of Masquerading on the file to increase the likelihood that a user will open it.

While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
AC-16	Security and Privacy Attributes	Protects	T1204.002	Malicious File
AC-17	Remote Access	Protects	T1204.002	Malicious File
AC-2	Account Management	Protects	T1204.002	Malicious File
AC-21	Information Sharing	Protects	T1204.002	Malicious File
AC-23	Data Mining Protection	Protects	T1204.002	Malicious File
AC-3	Access Enforcement	Protects	T1204.002	Malicious File
AC-4	Information Flow Enforcement	Protects	T1204.002	Malicious File
AC-6	Least Privilege	Protects	T1204.002	Malicious File
CA-7	Continuous Monitoring	Protects	T1204.002	Malicious File
CM-2	Baseline Configuration	Protects	T1204.002	Malicious File
CM-3	Configuration Change Control	Protects	T1204.002	Malicious File
CM-5	Access Restrictions for Change	Protects	T1204.002	Malicious File
CM-6	Configuration Settings	Protects	T1204.002	Malicious File
CM-7	Least Functionality	Protects	T1204.002	Malicious File
CM-8	System Component Inventory	Protects	T1204.002	Malicious File
SC-28	Protection of Information at Rest	Protects	T1204.002	Malicious File
SC-44	Detonation Chambers	Protects	T1204.002	Malicious File
SC-7	Boundary Protection	Protects	T1204.002	Malicious File
SI-10	Information Input Validation	Protects	T1204.002	Malicious File
SI-3	Malicious Code Protection	Protects	T1204.002	Malicious File
SI-4	System Monitoring	Protects	T1204.002	Malicious File
SI-7	Software, Firmware, and Information Integrity	Protects	T1204.002	Malicious File
SI-8	Spam Protection	Protects	T1204.002	Malicious File

Azure Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
alerts_for_windows_machines	Alerts for Windows Machines	technique_scores	T1204.002	Malicious File	Comments This control may detect the usage of a malware dropper and other indicators of a malicious file being executed by the user. The following alerts may be generated: "Detected possible execution of keygen executable", "Detected possible execution of malware dropper", "Detected suspicious file creation". References
adaptive_application_controls	Adaptive Application Controls	technique_scores	T1204.002	Malicious File	Comments Once this control is activated, it generates alerts for any executable that has been run and is not included in an allow list. There is a significant potential for false positives from new non-malicious executables, and events are calculated once every twelve hours, so its temporal score is Partial. References
microsoft_antimalware_for_azure	Microsoft Antimalware for Azure	technique_scores	T1204.002	Malicious File	Comments This control monitors activity in cloud services and on virtual machines to block malware execution. This is dependent on a signature being available. References
microsoft_antimalware_for_azure	Microsoft Antimalware for Azure	technique_scores	T1204.002	Malicious File	Comments This control monitors activity in cloud services and on virtual machines to detect malware execution. This is dependent on a signature being available. References