Malicious File
Malicious File [T1204.002]
Information
Introduction
Malicious File [T1204.002] is a sub-technique within the MITRE ATT&CK framework under the parent technique "User Execution." This sub-technique involves adversaries delivering malicious files directly to users, often through email attachments, web downloads, or removable media. Once opened or executed by the victim, these files initiate unauthorized actions, including malware installation, privilege escalation, or lateral movement across the network. Malicious files can come in multiple forms, such as executables, scripts, macro-enabled documents, or compressed archives containing malware payloads.
Deep Dive Into Technique
Malicious File [T1204.002] relies on user interaction to execute the delivered malicious payload. Attackers typically leverage social engineering tactics to convince users to open or run the malicious file. Technical details of execution methods and mechanisms include:
File Types and Formats:
Executable files (.exe, .msi, .dll)
Script files (.bat, .vbs, .ps1, .sh, .js)
Documents with macros (Microsoft Office documents like .docm, .xlsm, .pptm)
PDF files with embedded scripts or exploits
Compressed archives (.zip, .rar, .7z) containing malicious payloads
Delivery Mechanisms:
Phishing emails with malicious attachments
Malicious links directing users to compromised or attacker-controlled websites
Drive-by downloads initiated from compromised legitimate websites
Removable media (USB drives, external storage devices)
File-sharing services or cloud storage platforms
Execution Methods:
User directly opening or executing the file
Automatic execution through macros or embedded scripts upon opening documents
Exploitation of vulnerabilities in software applications triggered by opening malicious files
Use of legitimate system utilities to execute malicious payloads, leveraging techniques such as Living-off-the-Land (LotL)
Real-world Procedures:
Embedding malware within seemingly legitimate files, such as invoices, resumes, shipping notifications, or financial documents
Obfuscating malicious code within macros or scripts to evade detection
Utilizing file extensions that mimic legitimate file types (e.g., "invoice.pdf.exe")
Employing double extensions or Unicode characters to disguise executable files
Leveraging vulnerabilities in common software (e.g., Adobe Reader, Microsoft Office) to trigger payload execution without explicit user consent
When this Technique is Usually Used
This sub-technique is prevalent across multiple attack scenarios and stages, including:
Initial Access:
Attackers commonly use malicious files in phishing campaigns to gain initial foothold within targeted organizations.
Malicious email attachments are frequently employed to deliver initial malware payloads.
Execution:
Malicious files are executed by users, directly enabling attackers to run arbitrary code on compromised systems.
Privilege Escalation and Persistence:
Attackers may deliver files containing scripts or executables designed to escalate privileges or establish persistence mechanisms.
Lateral Movement:
Malicious files can be distributed internally within a compromised network via shared drives, network shares, or internal email systems to propagate malware infections.
Collection and Exfiltration:
Attackers may use malicious files to deploy tools for data collection, credential harvesting, or data exfiltration.
How this Technique is Usually Detected
Detection of Malicious File [T1204.002] involves multiple methods, tools, and indicators:
Endpoint Detection and Response (EDR) Tools:
Monitoring execution of suspicious executables or scripts
Identifying unusual processes or abnormal process trees
Detecting malicious macro execution or script execution from documents
Email Security Solutions:
Scanning email attachments for malicious payloads
Identifying known malicious file hashes or signatures
Analyzing attachments with sandboxing techniques to detect malicious behaviors
Network Monitoring and Intrusion Detection Systems (IDS):
Detecting downloads of malicious files from known malicious domains or IP addresses
Identifying unusual file transfer activities within internal networks
Sandbox Analysis:
Executing suspicious files in controlled environments to observe malicious behaviors
Analyzing file behaviors such as process creation, registry modifications, file system changes, and network connections
File Integrity Monitoring (FIM):
Monitoring critical system directories for unauthorized file modifications or additions
Specific Indicators of Compromise (IoCs):
Known malicious file hashes (MD5, SHA1, SHA256)
Suspicious file extensions or double extensions (e.g., ".pdf.exe", ".doc.js")
Unusual file metadata or digital signatures
Suspicious macro content or obfuscated scripts within documents
Embedded payloads identified through static or dynamic file analysis
Why it is Important to Detect This Technique
Early detection of Malicious File [T1204.002] is crucial due to the significant impacts it can have on systems and networks, including:
Malware Infection and Propagation:
Malicious files commonly deliver ransomware, spyware, remote access trojans (RATs), or other malware variants that can rapidly propagate within an organization.
Data Breaches and Exfiltration:
Malicious files often facilitate unauthorized access, data theft, or sensitive information exfiltration, leading to significant financial and reputational damage.
Operational Disruption:
Malware delivered through malicious files can disrupt critical business operations, impacting productivity and availability of essential services.
Privilege Escalation and Persistence:
Malicious files can enable attackers to escalate privileges, establish persistent backdoors, and maintain long-term unauthorized access to compromised systems.
Compliance and Regulatory Risks:
Failure to detect and mitigate malicious file-based attacks can result in regulatory penalties, compliance violations, and legal consequences.
Early detection enables timely containment and remediation, reducing the overall impact and cost associated with malicious file-based attacks.
Examples
Real-world examples of Malicious File [T1204.002] include:
Emotet Malware Campaigns:
Attackers delivered malicious macro-enabled Microsoft Word documents via phishing emails.
Upon opening, macros executed PowerShell scripts to download and execute Emotet malware, leading to credential theft, lateral movement, and further malware infections.
TrickBot Banking Trojan:
Malicious files delivered as fake invoices or financial documents containing macros or embedded scripts.
Execution resulted in installation of TrickBot malware, enabling credential harvesting, lateral spread, and ransomware deployment.
Ryuk Ransomware Attacks:
Attackers used malicious files disguised as legitimate business communications (e.g., invoices, purchase orders).
Files executed scripts or macros that downloaded and installed Ryuk ransomware, resulting in extensive data encryption and operational disruption.
COVID-19 Themed Phishing Campaigns:
Attackers exploited global events by delivering malicious files disguised as health advisories, safety guidelines, or government notifications.
Malicious attachments executed scripts or macros, installing backdoors or credential-stealing malware.
APT29 (Cozy Bear) Campaign:
Malicious files delivered via spear-phishing emails containing weaponized documents with embedded exploits.
Opening these files triggered vulnerabilities in software applications, enabling remote code execution, espionage activities, and data exfiltration.
In each example, attackers leveraged malicious files to gain initial access, execute unauthorized actions, and achieve their objectives, underscoring the importance of robust detection and prevention strategies.
Last updated
Was this helpful?