-
Notifications
You must be signed in to change notification settings - Fork 6
/
attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e.json
38 lines (38 loc) · 2.66 KB
/
attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
{
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "T1204.002",
"url": "https://attack.mitre.org/techniques/T1204/002"
}
],
"created_by_ref": "The MITRE Corporation",
"name": "Malicious File",
"description": "An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.\n\nAdversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) on the file to increase the likelihood that a user will open it.\n\nWhile [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).",
"id": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
"type": "attack-pattern",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"modified": "2020-03-11T14:55:56.177Z",
"created": "2020-03-11T14:49:36.954Z",
"x_mitre_version": "1.0",
"x_mitre_is_subtechnique": true,
"x_mitre_permissions_required": [
"User"
],
"x_mitre_detection": "Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain initial access that require user interaction. This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).",
"x_mitre_data_sources": [
"Anti-virus",
"Process command-line parameters",
"Process monitoring"
],
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
]
}