T1204.002 Malicious File Mappings

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.

Adversaries may employ various forms of Masquerading on the file to increase the likelihood that a user will open it.

While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-4 Information Flow Enforcement Protects T1204.002 Malicious File
CA-7 Continuous Monitoring Protects T1204.002 Malicious File
CM-2 Baseline Configuration Protects T1204.002 Malicious File
CM-6 Configuration Settings Protects T1204.002 Malicious File
CM-7 Least Functionality Protects T1204.002 Malicious File
SC-44 Detonation Chambers Protects T1204.002 Malicious File
SC-7 Boundary Protection Protects T1204.002 Malicious File
SI-10 Information Input Validation Protects T1204.002 Malicious File
SI-3 Malicious Code Protection Protects T1204.002 Malicious File
SI-4 System Monitoring Protects T1204.002 Malicious File
SI-7 Software, Firmware, and Information Integrity Protects T1204.002 Malicious File
SI-8 Spam Protection Protects T1204.002 Malicious File
CVE-2019-15287 Cisco WebEx WRF Player exploitation_technique T1204.002 Malicious File
CVE-2019-1772 Cisco WebEx WRF Player exploitation_technique T1204.002 Malicious File
CVE-2019-12696 Cisco FireSIGHT System Software exploitation_technique T1204.002 Malicious File
CVE-2020-3440 Cisco Webex Meetings exploitation_technique T1204.002 Malicious File
CVE-2018-15376 Cisco IOS Software exploitation_technique T1204.002 Malicious File
CVE-2020-3126 Cisco Webex Meetings Multimedia Viewer primary_impact T1204.002 Malicious File
CVE-2019-1915 Cisco Unified Communications Manager exploitation_technique T1204.002 Malicious File
CVE-2020-3322 Cisco Webex Network Recording Player exploitation_technique T1204.002 Malicious File
CVE-2020-3198 Cisco IOS 12.2(60)EZ16 exploitation_technique T1204.002 Malicious File
CVE-2018-15782 RSA Authentication Manager exploitation_technique T1204.002 Malicious File
CVE-2019-3719 SupportAssist Client exploitation_technique T1204.002 Malicious File
CVE-2018-11075 Authentication Manager exploitation_technique T1204.002 Malicious File
CVE-2019-18571 RSA Identity Governance & Lifecycle exploitation_technique T1204.002 Malicious File
CVE-2020-4068 APNSwift exploitation_technique T1204.002 Malicious File
CVE-2020-11073 zsh-autoswitch-virtualenv exploitation_technique T1204.002 Malicious File
CVE-2019-13522 EZ PLC Editor exploitation_technique T1204.002 Malicious File
CVE-2018-8835 Advantech WebAccess HMI Designer exploitation_technique T1204.002 Malicious File
CVE-2020-16211 Advantech WebAccess HMI Designer exploitation_technique T1204.002 Malicious File
CVE-2019-0911 Internet Explorer 11 exploitation_technique T1204.002 Malicious File
CVE-2018-8355 ChakraCore exploitation_technique T1204.002 Malicious File
CVE-2019-1118 Windows exploitation_technique T1204.002 Malicious File
CVE-2019-0576 Windows 7 exploitation_technique T1204.002 Malicious File
CVE-2020-1495 Microsoft SharePoint Server 2010 Service Pack 2 exploitation_technique T1204.002 Malicious File
CVE-2018-8248 Microsoft Office exploitation_technique T1204.002 Malicious File
CVE-2018-8111 Microsoft Edge exploitation_technique T1204.002 Malicious File
CVE-2020-1569 Microsoft Edge (EdgeHTML-based) exploitation_technique T1204.002 Malicious File
CVE-2020-16874 Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6) exploitation_technique T1204.002 Malicious File
CVE-2019-1013 Windows exploitation_technique T1204.002 Malicious File
CVE-2019-0609 Internet Explorer 11 exploitation_technique T1204.002 Malicious File
CVE-2018-8353 n/a exploitation_technique T1204.002 Malicious File
CVE-2018-8110 Microsoft Edge exploitation_technique T1204.002 Malicious File
CVE-2018-8575 Microsoft Project exploitation_technique T1204.002 Malicious File
CVE-2019-1035 Microsoft Office exploitation_technique T1204.002 Malicious File
CVE-2014-4123 n/a uncategorized T1204.002 Malicious File
CVE-2014-0266 n/a uncategorized T1204.002 Malicious File
CVE-2010-1885 n/a uncategorized T1204.002 Malicious File
CVE-2009-3459 n/a uncategorized T1204.002 Malicious File
CVE-2020-13125 n/a uncategorized T1204.002 Malicious File
CVE-2014-7187 n/a uncategorized T1204.002 Malicious File
CVE-2018-20250 WinRAR uncategorized T1204.002 Malicious File
CVE-2017-8464 Windows Shell uncategorized T1204.002 Malicious File
CVE-2017-11882 Microsoft Office uncategorized T1204.002 Malicious File
CVE-2017-11826 Microsoft Office uncategorized T1204.002 Malicious File
CVE-2017-0261 Microsoft Office uncategorized T1204.002 Malicious File
CVE-2015-6585 n/a uncategorized T1204.002 Malicious File
CVE-2015-1642 n/a uncategorized T1204.002 Malicious File
CVE-2015-0096 n/a uncategorized T1204.002 Malicious File
CVE-2014-7247 n/a uncategorized T1204.002 Malicious File
CVE-2014-6352 n/a uncategorized T1204.002 Malicious File
CVE-2013-1331 n/a uncategorized T1204.002 Malicious File
CVE-2010-1424 n/a uncategorized T1204.002 Malicious File
CVE-2010-0840 n/a uncategorized T1204.002 Malicious File
CVE-2009-4324 n/a uncategorized T1204.002 Malicious File
CVE-2009-0556 n/a uncategorized T1204.002 Malicious File
CVE-2019-13541 Horner Automation Cscape uncategorized T1204.002 Malicious File
CVE-2019-13527 Rockwell Automation Arena Simulation Software Cat. 9502-Ax, Versions 16.00.00 and earlier uncategorized T1204.002 Malicious File
CVE-2017-8570 Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, and Microsoft Office 2016. uncategorized T1204.002 Malicious File
CVE-2017-0262 Microsoft Office uncategorized T1204.002 Malicious File
CVE-2016-7193 n/a uncategorized T1204.002 Malicious File
CVE-2015-2509 n/a uncategorized T1204.002 Malicious File
CVE-2014-0810 n/a uncategorized T1204.002 Malicious File
CVE-2013-3644 n/a uncategorized T1204.002 Malicious File
CVE-2010-3915 n/a uncategorized T1204.002 Malicious File
CVE-2010-3333 n/a uncategorized T1204.002 Malicious File
CVE-2010-2862 n/a uncategorized T1204.002 Malicious File
CVE-2010-0028 n/a uncategorized T1204.002 Malicious File
CVE-2009-3129 n/a uncategorized T1204.002 Malicious File
CVE-2009-0927 n/a uncategorized T1204.002 Malicious File
action.malware.variety.Unknown Unknown related-to T1204.002 User Execution: Malicious File
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1204.002 User Execution: Malicious File
action.social.variety.Phishing Phishing (or any type of *ishing) related-to T1204.002 User Execution: Malicious File