Applied Cybernetics Group
T1204.002 — Malicious File
- Technique
T1204.002- Tactics
- Execution
- MISP citations
- 0
- KEV CVEs mapped
- 33
- Community rules
- 36
- thrunt rules
- 0
- Upstream
- https://attack.mitre.org/techniques/T1204/002
MITRE description
An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, .reg, and .iso.(Citation: Mandiant Trojanized Windows 10) Adversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs) While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).
KEV CVEs mapped to this technique
Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.
CVE-2025-27363CVE-2024-38080CVE-2023-36884CVE-2023-26369CVE-2023-21715CVE-2023-21608CVE-2022-34713CVE-2022-30190CVE-2021-28550CVE-2021-21017CVE-2018-4990CVE-2018-4878CVE-2018-15982CVE-2017-11292CVE-2016-4117CVE-2016-0984CVE-2015-7645CVE-2015-3113CVE-2015-3043CVE-2014-0496CVE-2013-0641CVE-2012-1535CVE-2012-0754CVE-2011-2462CVE-2011-0611CVE-2010-2883CVE-2010-1297CVE-2009-4324CVE-2009-3953CVE-2009-1862CVE-2008-2992CVE-2008-0655CVE-2007-5659
Detection coverage
SigmaHQ community rules
- Exploit for CVE-2017-0261 (emerging-threats)
- Droppers Exploiting CVE-2017-11882 (emerging-threats)
- Exploit for CVE-2017-8759 (emerging-threats)
- Ursnif Malware C2 URL Pattern (emerging-threats)
- Potential Maze Ransomware Activity (emerging-threats)
- Kapeka Backdoor Loaded Via Rundll32.EXE (emerging-threats)
- Successful MSIX/AppX Package Installation (threat-hunting)
- Microsoft Excel Add-In Loaded (threat-hunting)
- Microsoft Word Add-In Loaded (threat-hunting)
- Suspicious Microsoft Office Child Process - MacOS (core)
- Download From Suspicious TLD - Blacklist (core)
- Download From Suspicious TLD - Whitelist (core)
- Flash Player Update from Suspicious Location (core)
- AppLocker Prevented Application or Script from Running (core)
- Windows AppX Deployment Full Trust Package Installation (core)
- Windows AppX Deployment Unsigned Package Installation (core)
- File With Uncommon Extension Created By An Office Application (core)
- Suspicious Startup Folder Persistence (core)
- DotNET Assembly DLL Loaded Via Office Application (core)
- CLR DLL Loaded Via Office Applications (core)
- GAC DLL Loaded Via Office Applications (core)
- Microsoft Excel Add-In Loaded From Uncommon Location (core)
- Microsoft VBA For Outlook Addin Loaded Via Outlook (core)
- VBA DLL Loaded Via Office Application (core)
- Remote DLL Load Via Rundll32.EXE (core)
Showing 25 of 36 community rules —
the full set is tagged attack.t1204.002 in
SigmaHQ.