MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.

Detonate Malware

Execute malware under controlled conditions to analyze its functionality.

An execution environment can range from a somewhat sterile commercial malware execution appliance, to a bespoke system crafted to meet engagement goals. The execution environment will typically be highly instrumented and have special controls to ensure the experiment is contained and harmless to unrelated systems.

ID: DTE0018
Tactics:  Channel Collect Contain Test


DOS0001 There is an opportunity to study the adversary and collect first-hand observations about them and their tools.

Use Cases

DUC0037 A defender can detonate malicious code leveraging a signed binary on a decoy system or within a decoy network to see how it behaves or for adversary engagement purposes.
DUC0040 A defender can execute adversary malware on a decoy system and examine its behaviors or potentially engage with the adversary to obtain further intelligence.


DPR0034 Take malware received via spearphishing and detonate it on an isolated system in order to collect execution and network communication artifacts.
DPR0035 Detonate a malware sample in a decoy network to engage with an adversary and study their TTPs.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1204 User Execution Execution
T1218 Signed Binary Proxy Execution Defense Evasion