Last reviewed:
T1204.002 covers execution of a malicious file: the macro-laced document of endpoint lore, though in cloud estates more often a dropped ELF binary on a compromised instance or container. DCV's runtime signal is GuardDuty's Execution:EC2/MaliciousFile finding and its ECS, Kubernetes and standalone-container siblings, which hash-match files as they execute, with Azure adaptive application controls supplying the allow-list counterpart. When a MaliciousFile finding fires on a server workload there is no user to retrain; assume the host is owned and rebuild.
An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, .reg, and .iso.
Adversaries may employ various forms of Masquerading and Obfuscated Files or Information to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.
While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.
Platforms: Linux, macOS, Windows.
DCV maps 11 detections across 2 cloud providers to T1204.002. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS GuardDuty | AWS | 8 | 0.82 |
| Azure Policy | Azure | 2 | 0.90 |
| Microsoft Defender for Cloud | Azure | 1 | 0.90 |
CloudSigma has coverage metadata for 11 T1204.002 rules across 1 platform. The linked platform page remains the canonical rule surface; this page will embed an example after a rule clears the public embed bar.
CloudSigma has coverage metadata for T1204.002, but no public example rule clears the embed bar for this page yet. Generate a fresh starting-point rule in CloudSigma from the relevant advisory or threat-research input, then validate it against your local telemetry before enabling it in production.
T1204.002 covers execution of a malicious file: the macro-laced document of endpoint lore, though in cloud estates more often a dropped ELF binary on a compromised instance or container. DCV's runtime signal is GuardDuty's Execution:EC2/MaliciousFile finding and its ECS, Kubernetes and standalone-container siblings, which hash-match files as they execute, with Azure adaptive application controls supplying the allow-list counterpart. When a MaliciousFile finding fires on a server workload there is no user to retrain; assume the host is owned and rebuild.
DCV maps 11 cloud-native detections to T1204.002 across 2 cloud providers, drawn from AWS GuardDuty, Azure Policy and Microsoft Defender for Cloud.
T1204.002 is part of MITRE ATT&CK TA0002 Execution: How adversaries run their code once inside.
CloudSigma ships 1 validated Sigma rules for T1204.002 across Windows Sysmon. Each rule is validated against its source SIEM dialect before publication.