Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use.
Migrate Attack Vector allows a defender to access an intercepted malicious element and analyze it in a safe environment or conduct an adversary engagement within a decoy network.
|DOS0013||There is an opportunity to study removable media to see if it's infected and what happens when it is plugged into a decoy system or network.|
|DOS0019||A phishing email can be detected and moved from the intended recipient to a decoy account for reading and execution.|
|DOS0024||There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment.|
|DUC0013||A defender can connect a suspect removeable media device to a decoy system and see what happens when autorun is enabled.|
|DUC0016||A defender can move suspicious emails to a decoy system prior to opening and examining the email.|
|DUC0211||A defender who intercepts removable media being used by an adversary for relaying commands can plug the removal media into a decoy system or network to watch what commands are being relayed and what the adversary continues to do.|
|DPR0041||When malware is received via spearphishing, move the email message onto a decoy system prior to detonating the malicious file attachment.|
|T1091||Replication Through Removable Media||Lateral Movement, Initial Access|
|T1092||Communication Through Removable Media||Command and Control|