We have a blog! Check out MITRE Shield on Medium.

Migrate Attack Vector

Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use.

Migrate Attack Vector allows a defender to access an intercepted malicious element and analyze it in a safe environment or conduct an adversary engagement within a decoy network.

Details
ID: DTE0023
Tactics:  Contain Channel Test

Opportunities

IDDescription
DOS0013 There is an opportunity to study removable media to see if it's infected and what happens when it is plugged into a decoy system or network.
DOS0019 A phishing email can be detected and moved from the intended recipient to a decoy account for reading and execution.
DOS0024 There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment.

Use Cases

IDDescription
DUC0013 A defender can connect a suspect removeable media device to a decoy system and see what happens when autorun is enabled.
DUC0016 A defender can move suspicious emails to a decoy system prior to opening and examining the email.
DUC0211 A defender who intercepts removable media being used by an adversary for relaying commands can plug the removal media into a decoy system or network to watch what commands are being relayed and what the adversary continues to do.

Procedures

IDDescription
DPR0041 When malware is received via spearphishing, move the email message onto a decoy system prior to detonating the malicious file attachment.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1091 Replication Through Removable Media Lateral MovementInitial Access
T1092 Communication Through Removable Media Command and Control
T1566 Phishing Initial Access