Execute malware under controlled conditions to analyze its functionality.
An execution environment can range from a somewhat sterile commercial malware execution appliance, to a bespoke system crafted to meet engagement goals. The execution environment will typically be highly instrumented and have special controls to ensure the experiment is contained and harmless to unrelated systems.
|DOS0001||There is an opportunity to study the adversary and collect first-hand observations about them and their tools.|
|DUC0037||A defender can detonate malicious code leveraging a signed binary on a decoy system or within a decoy network to see how it behaves or for adversary engagement purposes.|
|DUC0040||A defender can execute adversary malware on a decoy system and examine its behaviors or potentially engage with the adversary to obtain further intelligence.|
|DPR0034||Take malware received via spearphishing and detonate it on an isolated system in order to collect execution and network communication artifacts.|
|DPR0035||Detonate a malware sample in a decoy network to engage with an adversary and study their TTPs.|
|T1218||Signed Binary Proxy Execution||Defense Evasion|