An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.
Adversaries may employ various forms of Masquerading on the file to increase the likelihood that a user will open it.
While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
AC-4 | Information Flow Enforcement | Protects | T1204.002 | Malicious File | |
CA-7 | Continuous Monitoring | Protects | T1204.002 | Malicious File | |
CM-2 | Baseline Configuration | Protects | T1204.002 | Malicious File | |
CM-6 | Configuration Settings | Protects | T1204.002 | Malicious File | |
CM-7 | Least Functionality | Protects | T1204.002 | Malicious File | |
SC-44 | Detonation Chambers | Protects | T1204.002 | Malicious File | |
SC-7 | Boundary Protection | Protects | T1204.002 | Malicious File | |
SI-10 | Information Input Validation | Protects | T1204.002 | Malicious File | |
SI-3 | Malicious Code Protection | Protects | T1204.002 | Malicious File | |
SI-4 | System Monitoring | Protects | T1204.002 | Malicious File | |
SI-7 | Software, Firmware, and Information Integrity | Protects | T1204.002 | Malicious File | |
SI-8 | Spam Protection | Protects | T1204.002 | Malicious File |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.malware.variety.Unknown | Unknown | related-to | T1204.002 | User Execution: Malicious File | |
action.malware.vector.Email attachment | Email via user-executed attachment. Child of 'Email' | related-to | T1204.002 | User Execution: Malicious File | |
action.social.variety.Phishing | Phishing (or any type of *ishing) | related-to | T1204.002 | User Execution: Malicious File |