Move a malicious link, file, or device from its intended location to a decoy system or network for execution/use.
Migrate Attack Vector allows a defender to access an intercepted malicious element and analyze it in a safe environment or conduct an adversary engagement within a decoy network.
|There is an opportunity to study removable media to see if it's infected and what happens when it is plugged into a decoy system or network.
|A phishing email can be detected and moved from the intended recipient to a decoy account for reading and execution.
|There is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment.
|A defender can connect a suspect removeable media device to a decoy system and see what happens when autorun is enabled.
|A defender can move suspicious emails to a decoy system prior to opening and examining the email.
|A defender who intercepts removable media being used by an adversary for relaying commands can plug the removal media into a decoy system or network to watch what commands are being relayed and what the adversary continues to do.
|When malware is received via spearphishing, move the email message onto a decoy system prior to detonating the malicious file attachment.
|Replication Through Removable Media
|Lateral Movement, Initial Access
|Communication Through Removable Media
|Command and Control