MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.
Migrate Attack Vector
Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use.
Migrate Attack Vector allows a defender to access an intercepted malicious element and analyze it in a safe environment or conduct an adversary engagement within a decoy network.
Opportunities
| ID | Description |
|---|---|
| DOS0013 | There is an opportunity to study removable media to see if it's infected and what happens when it is plugged into a decoy system or network. |
| DOS0019 | A phishing email can be detected and moved from the intended recipient to a decoy account for reading and execution. |
| DOS0024 | There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment. |
Use Cases
| ID | Description |
|---|---|
| DUC0013 | A defender can connect a suspect removeable media device to a decoy system and see what happens when autorun is enabled. |
| DUC0016 | A defender can move suspicious emails to a decoy system prior to opening and examining the email. |
| DUC0211 | A defender who intercepts removable media being used by an adversary for relaying commands can plug the removal media into a decoy system or network to watch what commands are being relayed and what the adversary continues to do. |
Procedures
| ID | Description |
|---|---|
| DPR0041 | When malware is received via spearphishing, move the email message onto a decoy system prior to detonating the malicious file attachment. |
ATT&CK® Techniques
ID | Name | ATT&CK Tactics |
|---|---|---|
| T1091 | Replication Through Removable Media | Lateral Movement, Initial Access |
| T1092 | Communication Through Removable Media | Command and Control |
| T1566 | Phishing | Initial Access |