MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
Detonate Malware
Execute malware under controlled conditions to analyze its functionality.
An execution environment can range from a somewhat sterile commercial malware execution appliance, to a bespoke system crafted to meet engagement goals. The execution environment will typically be highly instrumented and have special controls to ensure the experiment is contained and harmless to unrelated systems.
Opportunities
| ID | Description |
|---|---|
| DOS0001 | There is an opportunity to study the adversary and collect first-hand observations about them and their tools. |
Use Cases
| ID | Description |
|---|---|
| DUC0037 | A defender can detonate malicious code leveraging a signed binary on a decoy system or within a decoy network to see how it behaves or for adversary engagement purposes. |
| DUC0040 | A defender can execute adversary malware on a decoy system and examine its behaviors or potentially engage with the adversary to obtain further intelligence. |
Procedures
| ID | Description |
|---|---|
| DPR0034 | Take malware received via spearphishing and detonate it on an isolated system in order to collect execution and network communication artifacts. |
| DPR0035 | Detonate a malware sample in a decoy network to engage with an adversary and study their TTPs. |
ATT&CK® Techniques
ID | Name | ATT&CK Tactics |
|---|---|---|
| T1204 | User Execution | Execution |
| T1218 | Signed Binary Proxy Execution | Defense Evasion |