| ID | Name |
|---|---|
| T1204.001 | Malicious Link |
| T1204.002 | Malicious File |
| T1204.003 | Malicious Image |
| T1204.004 | Malicious Copy and Paste |
An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social engineering to get them to copy and paste code directly into a Command and Scripting Interpreter.
Malicious websites, such as those used in Drive-by Compromise, may present fake error messages or CAPTCHA prompts that instruct users to open a terminal or the Windows Run Dialog box and execute an arbitrary command. These commands may be obfuscated using encoding or other techniques to conceal malicious intent. Once executed, the adversary will typically be able to establish a foothold on the victim's machine.[1][2][3]
Adversaries may also leverage phishing emails for this purpose. When a user attempts to open an attachment, they may be presented with a fake error and offered a malicious command to paste as a solution.[4]
Tricking a user into executing a command themselves may help to bypass email filtering, browser sandboxing, or other mitigations designed to protect users against malicious downloaded files.
| ID | Mitigation | Description |
|---|---|---|
| M1038 | Execution Prevention |
Use application control where appropriate. PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., |
| M1031 | Network Intrusion Prevention |
If a link is being requested by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity. |
| M1021 | Restrict Web-Based Content |
If a link is being requested by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0017 | Command | Command Execution |
Detect commands triggered by users that may download malicious files. Items typed into the Windows Run dialog are saved for each user in the |
| DS0022 | File | File Creation |
Monitor for files created on a system after a user executes an unusual command. Look for common download paths and suspicious files with executable extensions. |
| DS0029 | Network Traffic | Network Connection Creation |
Monitor network traffic patterns associated with user actions, such as initiating connections to suspicious sites. |
| Network Traffic Content |
Monitor and analyze traffic patterns and packet inspection associated with web-based network connections that are sent to malicious or suspicious destinations (e.g. destinations attributed to malicious actors). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments. |
||
| DS0009 | Process | Process Creation |
Identify processes spawned by user actions that could lead to malicious execution. |