Detonation chambers, also known as dynamic execution environments, allow organizations to open email attachments, execute untrusted or suspicious applications, and execute Universal Resource Locator requests in the safety of an isolated environment or a virtualized sandbox. Protected and isolated execution environments provide a means of determining whether the associated attachments or applications contain malicious code. While related to the concept of deception nets, the employment of detonation chambers is not intended to maintain a long-term environment in which adversaries can operate and their actions can be observed. Rather, detonation chambers are intended to quickly identify malicious code and either reduce the likelihood that the code is propagated to user environments of operation or prevent such propagation completely.
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| SC-44 | Detonation Chambers | Protects | T1204 | User Execution |
| SC-44 | Detonation Chambers | Protects | T1204.001 | Malicious Link |
| SC-44 | Detonation Chambers | Protects | T1204.002 | Malicious File |
| SC-44 | Detonation Chambers | Protects | T1204.003 | Malicious Image |
| SC-44 | Detonation Chambers | Protects | T1221 | Template Injection |
| SC-44 | Detonation Chambers | Protects | T1566 | Phishing |
| SC-44 | Detonation Chambers | Protects | T1566.001 | Spearphishing Attachment |
| SC-44 | Detonation Chambers | Protects | T1566.002 | Spearphishing Link |
| SC-44 | Detonation Chambers | Protects | T1566.003 | Spearphishing via Service |
| SC-44 | Detonation Chambers | Protects | T1598 | Phishing for Information |
| SC-44 | Detonation Chambers | Protects | T1598.001 | Spearphishing Service |
| SC-44 | Detonation Chambers | Protects | T1598.002 | Spearphishing Attachment |
| SC-44 | Detonation Chambers | Protects | T1598.003 | Spearphishing Link |