T1204.002 Malicious File
Author: Stefan Waldvogel
LimaCharlie vs. External Remote Services
Overview:
Description from ATT&CK
An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.
Adversaries may employ various forms of Masquerading on the file to increase the likelihood that a user will open it.
While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.
source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1204.002 -ShowDetailsBrief
Invoke-AtomicTest T1204.002 -CheckPrereqs
Invoke-AtomicTest T1204.002 -GetPrereqs
Invoke-AtomicTest T1204.002
Invoke-AtomicTest T1204.002 -Cleanup
Contains 8 subtests
Changes:
-none-
Limitations:
Most tests 1-7 work with VBA/Word, not installed
Result:
Invoke-AtomicTest T1204.002 -TestNumbers 1
Invoke-AtomicTest T1204.002 -TestNumbers 2
Invoke-AtomicTest T1204.002 -TestNumbers 3
Invoke-AtomicTest T1204.002 -TestNumbers 4
Invoke-AtomicTest T1204.002 -TestNumbers 5
Invoke-AtomicTest T1204.002 -TestNumbers 6
Invoke-AtomicTest T1204.002 -TestNumbers 7
Invoke-AtomicTest T1204.002 -TestNumbers 8 sigma, soteria, detected as 00269-WIN-Powershell_With_URL_In_Commandline
Description from ATT&CK
An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.
Adversaries may employ various forms of Masquerading on the file to increase the likelihood that a user will open it.
While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.
source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1204.002 -ShowDetailsBrief
Invoke-AtomicTest T1204.002 -CheckPrereqs
Invoke-AtomicTest T1204.002 -GetPrereqs
Invoke-AtomicTest T1204.002
Invoke-AtomicTest T1204.002 -Cleanup
Contains 8 subtests
Changes:
-none-
Limitations:
Most tests 1-7 work with VBA/Word, not installed
Result:
Invoke-AtomicTest T1204.002 -TestNumbers 1
Invoke-AtomicTest T1204.002 -TestNumbers 2
Invoke-AtomicTest T1204.002 -TestNumbers 3
Invoke-AtomicTest T1204.002 -TestNumbers 4
Invoke-AtomicTest T1204.002 -TestNumbers 5
Invoke-AtomicTest T1204.002 -TestNumbers 6
Invoke-AtomicTest T1204.002 -TestNumbers 7
Invoke-AtomicTest T1204.002 -TestNumbers 8 sigma, soteria, detected as 00269-WIN-Powershell_With_URL_In_Commandline
© 2021. This work is licensed under a CC BY-SA 4.0 license