- Tactics
- Execution
- Platforms
- Linux, macOS, Windows
- Reference
- attack.mitre.org/techniques/T1204.002
Description
An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, .reg, and .iso.(Citation: Mandiant Trojanized Windows 10)
Adversaries may employ various forms of Masquerading and Obfuscated Files or Information to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs)
While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user’s desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the Execution tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1047 — Windows Management Instrumentation
- T1053 — Scheduled Task/Job
- T1059 — Command and Scripting Interpreter
- T1072 — Software Deployment Tools
- T1106 — Native API
- T1127 — Trusted Developer Utilities Proxy Execution
- T1129 — Shared Modules
- T1197 — BITS Jobs
- T1203 — Exploitation for Client Execution
- T1204 — User Execution
- T1559 — Inter-Process Communication
- T1569 — System Services