Malicious File (T1204.002)

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl. Adversaries may employ various forms of Masquerading and Obfuscated Files or Information to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs) While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.

Source: https://github.com/mitre/cti
Related Prelude attack chains
Release Date (Newest)
Filterfilter
Search for chains, TTPs, themes, and text

Browse By:

Platforms

  • All
  • Windows
  • Linux
  • Darwin
  • Global
  • Android

Themes

Tags

Licenses

Are MOUSEISLAND malware procedures mitigated on this host?

2022-09-19

/static/assets/windows-logo.svg
Emulates procedures found in MOUSEISLAND malware.
Are GootLoader malware procedures mitigated on this host?

2022-08-30

/static/assets/windows-logo.svg
Emulates tactics found in GootLoader malware.
APT29 COVID-19 Vaccine Data

2022-03-22

/static/assets/linux-logo.svg
Emulating APT29's WellMess malware targeting vaccine research.
APT29 Democratic National Committee

2022-03-01

/static/assets/windows-logo.svg
Emulating Cozy Bear's 2016 Democratic National Committee hack.
Conti Recon And Initial Access

2022-01-10

/static/assets/windows-logo.svg
Perform recon and initial access of target environment
Android ADB Shell

2021-12-07

/static/assets/android-logo.svg
A first collection of TTPs for Android specifically targeting ADB shell commands
B1-66ER (Initial Access)

2021-09-28

/static/assets/linux-logo.svg
Gain initial access by installing SciPy with concealed Schism agent