MITRE Shield will be retired on October 18th in favor of MITRE Engage. To learn more, click here.

Migrate Attack Vector

Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use.

Migrate Attack Vector allows a defender to access an intercepted malicious element and analyze it in a safe environment or conduct an adversary engagement within a decoy network.

ID: DTE0023
Tactics:  Contain Channel Test


DOS0013 There is an opportunity to study removable media to see if it's infected and what happens when it is plugged into a decoy system or network.
DOS0019 A phishing email can be detected and moved from the intended recipient to a decoy account for reading and execution.
DOS0024 There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment.

Use Cases

DUC0013 A defender can connect a suspect removeable media device to a decoy system and see what happens when autorun is enabled.
DUC0016 A defender can move suspicious emails to a decoy system prior to opening and examining the email.
DUC0211 A defender who intercepts removable media being used by an adversary for relaying commands can plug the removal media into a decoy system or network to watch what commands are being relayed and what the adversary continues to do.


DPR0041 When malware is received via spearphishing, move the email message onto a decoy system prior to detonating the malicious file attachment.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1091 Replication Through Removable Media Lateral MovementInitial Access
T1092 Communication Through Removable Media Command and Control
T1566 Phishing Initial Access