Esc

Malicious File - T1204.002

(ATT&CK® Technique)

Definition

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1204002["Malicious File"] --> |executes| ExecutableFile["Executable File"]; class T1204002 OffensiveTechniqueNode;
        class ExecutableFile ArtifactNode; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile";
        click T1204002 href "/offensive-technique/attack/T1204.002/"; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile";             FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | ExecutableFile["Executable File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1204002["Malicious File"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
          | deletes | ExecutableFile["Executable File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1204002["Malicious File"] ;
          class FileEviction DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction";                           FileEncryption["File Encryption"] -->
          | encrypts | ExecutableFile["Executable File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1204002["Malicious File"] ;
          class FileEncryption DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption";              ExecutableAllowlisting["Executable Allowlisting"] -->
          | blocks | ExecutableFile["Executable File"];

          ExecutableAllowlisting["Executable Allowlisting"] -.->
            | may-isolate | T1204002["Malicious File"] ;
          class ExecutableAllowlisting DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
          | blocks | ExecutableFile["Executable File"];

          ExecutableDenylisting["Executable Denylisting"] -.->
            | may-isolate | T1204002["Malicious File"] ;
          class ExecutableDenylisting DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting";                   RestoreFile["Restore File"] -->
          | restores | ExecutableFile["Executable File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1204002["Malicious File"] ;
          class RestoreFile DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile"; LocalFilePermissions["Local File Permissions"] -->
          | restricts | ExecutableFile["Executable File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1204002["Malicious File"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";                           DecoyFile["Decoy File"] -->
          | spoofs | ExecutableFile["Executable File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1204002["Malicious File"] ;
          class DecoyFile DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile";                      RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | ExecutableFile["Executable File"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1204002["Malicious File"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";        DynamicAnalysis["Dynamic Analysis"] -->
          | analyzes | ExecutableFile["Executable File"];

          DynamicAnalysis["Dynamic Analysis"] -.->
            | may-detect | T1204002["Malicious File"] ;
          class DynamicAnalysis DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
          | analyzes | ExecutableFile["Executable File"];

          EmulatedFileAnalysis["Emulated File Analysis"] -.->
            | may-detect | T1204002["Malicious File"] ;
          class EmulatedFileAnalysis DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis";                           FileAnalysis["File Analysis"] -->
          | analyzes | ExecutableFile["Executable File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1204002["Malicious File"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class ExecutableFile ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis";

json