Technique on mitre.org

T1204.002: Malicious File

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.

Adversaries may employ various forms of Masquerading and Obfuscated Files or Information to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.

While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

process_chains_and_logons: PT-CR-950: Suspicious_Office_Process_Chain: Suspicious process start chain for Microsoft Office or Adobe Acrobat applications vulnerabilities: PT-CR-1377: Foxit_PDF_Reader_RCE: Possible exploitation of vulnerability CVE-2022-28672 in Foxit PDF Reader, which can lead to arbitrary code execution mitre_attck_execution: PT-CR-2664: Outlook_VBA_Addin_Load: The Outlook process loaded library "Microsoft VBA for Outlook Addin" (OUTLVBA.DLL). This may indicate the use of VBA macros to execute arbitrary code. mitre_attck_execution: PT-CR-648: Suspicious_Child_From_Messenger_Process: A user started a process from a parent messenger process mitre_attck_execution: PT-CR-605: Office_File_With_Macros: A user opened a Microsoft Office document with a macro mitre_attck_execution: PT-CR-1093: Subrule_Payload_Download_Via_WebClient: The MSDT_Remote_Code_Execution rule subrule detected connection to a remote storage and downloading of a malicious file mitre_attck_execution: PT-CR-952: Suspicious_ShortHanded_Process_Started: Running executable files with suspicious names consisting of one or two letters mitre_attck_execution: PT-CR-1090: MSDT_Remote_Code_Execution: Vulnerability CVE-2022-34713 has been exploited in the msdt.exe service, and a malicious file is downloaded from an attacker host mitre_attck_execution: PT-CR-345: Malicious_Office_Document: A suspicious sequence of process startup by a Microsoft Office application is detected mitre_attck_execution: PT-CR-1357: Suspicious_Directory_For_Process: An executable file was launched from a suspicious directory unix_mitre_attck_execution: PT-CR-1071: Unix_Connect_From_Home_Dir: A network API call on behalf of a process running from user's home directory unix_mitre_attck_execution: PT-CR-482: Unix_Connect_From_Suspicious_Dir: A network API call on behalf of a process run from a suspicious directory mitre_attck_defense_evasion: PT-CR-933: Malicious_Activity_From_Office_Documents: The following suspicious activity of office programs is detected: creating executables, changing registry keys, loading the DLL of an Internet Explorer COM object, creating threads in other processes' address space unix_mitre_attck_defense_evasion: PT-CR-485: Unix_Run_Process_From_Suspicious_Directory: A process was started from an unexpected directory mitre_attck_persistence: PT-CR-2649: Outlook_Form_Exploitation: Outlook started a suspicious process after creating a custom form in the Outlook client. This may indicate an attacker's attempt to gain persistence in the system or execute arbitrary code. antimalware: PT-CR-2412: XDR_Detected_Malicious_Object: PT XDR detected an unwanted or malicious object antimalware: PT-CR-805: Malicious_File_Is_Run: The launch of a malicious file is detected hacking_tools: PT-CR-353: Koadic_MSHTA_Stager: Possible use of Koadic software (Koadic framework is designed for post-exploitation in Windows family operating systems) that runs a payload on the attacked host using Microsoft Windows HTML Application was detected hacking_tools: PT-CR-361: Koadic_Rundll32_Stager: Possible use of the Koadic software with Rundll32 is detected hacking_tools: PT-CR-350: Cobalt_Strike_SMB_Beacon: A named pipe specific to Cobalt Strike software was created or connected hacking_tools: PT-CR-587: SilentTrinity_Stager: Possible execution of the SilentTrinity stager is detected hacking_tools: PT-CR-357: Koadic_REGSVR32_Stager: Possible use of the Koadic software with Regsvr32 is detected

Detection

ID	DS0022	Data source and component	File: File Creation	Description	Monitor for newly constructed files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe). While batch files are not inherently malicious, it is uncommon to see them created after OS installation, especially in the Windows directory. This analytic looks for the suspicious activity of a batch file being created within the C:\Windows\System32 directory tree. There will be only occasional false positives due to administrator actions. For Windows, Sysmon Event ID 11 (File create) can be used to track file creation events. This event also provides the Process ID of the process that created the file, which can be correlated with process creation events (e.g., Sysmon Event ID 1) to determine if the file was downloaded from an external network. For MacOS, utilities that work in concert with Apple’s Endpoint Security Framework such as File Monitor can be used to track file creation events. Analytic 1 - Batch File Write to System32 `(source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="11") file_path="system32" AND file_extension=".bat"`

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor for newly constructed processes and/or command-lines for applications that may be used by an adversary to gain initial access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads.

ID	Data source and component	Description
DS0022	File: File Creation	Monitor for newly constructed files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe). While batch files are not inherently malicious, it is uncommon to see them created after OS installation, especially in the Windows directory. This analytic looks for the suspicious activity of a batch file being created within the C:\Windows\System32 directory tree. There will be only occasional false positives due to administrator actions. For Windows, Sysmon Event ID 11 (File create) can be used to track file creation events. This event also provides the Process ID of the process that created the file, which can be correlated with process creation events (e.g., Sysmon Event ID 1) to determine if the file was downloaded from an external network. For MacOS, utilities that work in concert with Apple’s Endpoint Security Framework such as File Monitor can be used to track file creation events. Analytic 1 - Batch File Write to System32 `(source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="11") file_path="system32" AND file_extension=".bat"`
DS0009	Process: Process Creation	Monitor for newly constructed processes and/or command-lines for applications that may be used by an adversary to gain initial access that require user interaction. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads.

Mitigation

ID	M1038	Name	Execution Prevention	Description	Application control may be able to prevent the running of executables masquerading as other files.

ID	M1040	Name	Behavior Prevention on Endpoint	Description	On Windows 10, various Attack Surface Reduction (ASR) rules can be enabled to prevent the execution of potentially malicious executable files (such as those that have been downloaded and executed by Office applications/scripting interpreters/email clients or that do not meet specific prevalence, age, or trusted list criteria). Note: cloud-delivered protection must be enabled for certain rules.

ID	M1017	Name	User Training	Description	Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.

ID	Name	Description
M1038	Execution Prevention	Application control may be able to prevent the running of executables masquerading as other files.
M1040	Behavior Prevention on Endpoint	On Windows 10, various Attack Surface Reduction (ASR) rules can be enabled to prevent the execution of potentially malicious executable files (such as those that have been downloaded and executed by Office applications/scripting interpreters/email clients or that do not meet specific prevalence, age, or trusted list criteria). Note: cloud-delivered protection must be enabled for certain rules.
M1017	User Training	Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.