T1204.002 · execution · 83 actors · 14 correlated reports

Malicious File

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, and .reg. Adversaries may employ various forms of Masquerading and Obfuscated Files or Information to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it. While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.

Open detection, hunting, mitigation, and evidence workspace

Detection logic

Monitor the execution of and command-line arguments for applications that may be used by an adversary to gain initial access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads. Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).

Observed actors

APT38
G0082 Indrik Spider
G0119 Elderwood
G0066 SideCopy
G1008 Kimsuky
G0094 EXOTIC LILY
G1011 admin@338
G0018 Patchwork
G0040 Dragonfly
G0035 Gorgon Group
G0078 menuPass
G0045 APT32
G0050 MuddyWater
G0069 Naikon
G0019 FIN6
G0037 Gamaredon Group
G0047 Gallmaker
G0084 FIN7
G0046 Sandworm Team
G0034 Machete
G0095 Andariel
G0138 CURIUM
G1012 Sidewinder
G0121 Mustang Panda
G0129 APT39
G0087 TA2541
G1018 APT37
G0067 OilRig
G0049 Higaisa
G0126 Tropic Trooper
G0081 TA459
G0062 Aoqin Dragon
G1007 Ferocious Kitten
G0137 The White Company
G0089 Saint Bear
G1031 DarkHydrus
G0079 Confucius
G0142 BlackTech
G0098 Leviathan
G0065 TA505
G0092 BITTER
G1002 RedCurl
G1039 Mofang
G0103 APT29
G0016 Dark Caracal
G0070 BRONZE BUTLER
G0060 TA551
G0127 Star Blizzard
G1033 Darkhotel
G0012 Ember Bear
G1003 LazyScripter
G0140 Windshift
G0112 Whitefly
G0107 APT28
G0007 Malteiro
G1026 RTM
G0048 APT12
G0005 APT-C-36
G0099 Tonto Team
G0131 Lazarus Group
G0032 Earth Lusca
G1006 FIN4
G0085 Silence
G0091 Cobalt Group
G0080 Wizard Spider
G0102 Molerats
G0021 Transparent Tribe
G0134 IndigoZebra
G0136 Moonstone Sleet
G1036 Inception
G0100 PROMETHIUM
G0056 APT30
G0013 HEXANE
G1001 Rancor
G0075 WIRTE
G0090 PLATINUM
G0068 Magic Hound
G0059 Ajax Security Team
G0130 Threat Group-3390
G0027 APT33
G0064 FIN8
G0061 APT19
G0073 Nomadic Octopus
G0133

Correlated CTI and IR reports

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research