Description
An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, .reg, and .iso.(Citation: Mandiant Trojanized Windows 10)
Adversaries may employ various forms of Masquerading and Obfuscated Files or Information to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs)
While Malicious File frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.
Platforms
Mitigations (3)
Execution PreventionM1038
Application control may be able to prevent the running of executables masquerading as other files.
Behavior Prevention on EndpointM1040
On Windows 10, various Attack Surface Reduction (ASR) rules can be enabled to prevent the execution of potentially malicious executable files (such as those that have been downloaded and executed by Office applications/scripting interpreters/email clients or that do not meet specific prevalence, age, or trusted list criteria). Note: cloud-delivered protection must be enabled for certain rules. (Ci
User TrainingM1017
Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.
Threat Groups (86)
| ID | Group | Context |
|---|---|---|
| G1026 | Malteiro | [Malteiro](https://attack.mitre.org/groups/G1026) has relied on users to execute .zip file attachments containing malicious URLs.(Citation: SCILabs Ma... |
| G0005 | APT12 | [APT12](https://attack.mitre.org/groups/G0005) has attempted to get victims to open malicious Microsoft Word and PDF attachment sent via spearphishing... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used spearphishing attachments to entice victims into opening malicious files, including LNK file... |
| G0095 | Machete | [Machete](https://attack.mitre.org/groups/G0095) has relied on users opening malicious attachments delivered through spearphishing to execute malware.... |
| G0066 | Elderwood | [Elderwood](https://attack.mitre.org/groups/G0066) has leveraged multiple types of spearphishing in order to attempt to get a user to open attachments... |
| G0134 | Transparent Tribe | [Transparent Tribe](https://attack.mitre.org/groups/G0134) has used weaponized documents in e-mail to compromise targeted systems.(Citation: Proofpoin... |
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has used various forms of spearphishing in attempts to get users to open malicious attachments.(Cit... |
| G0090 | WIRTE | [WIRTE](https://attack.mitre.org/groups/G0090) has attempted to lure users into opening malicious documents including MS Word and Excel files, at time... |
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has distributed malicious files requiring direct victim interaction to execute through t... |
| G0048 | RTM | [RTM](https://attack.mitre.org/groups/G0048) has attempted to lure victims into opening e-mail attachments to execute malicious code.(Citation: Group ... |
| G1007 | Aoqin Dragon | [Aoqin Dragon](https://attack.mitre.org/groups/G1007) has lured victims into opening weaponized documents, fake external drives, and fake antivirus to... |
| G0099 | APT-C-36 | [APT-C-36](https://attack.mitre.org/groups/G0099) has prompted victims to open attachments and to accept macros in order to execute the subsequent pay... |
| G1012 | CURIUM | [CURIUM](https://attack.mitre.org/groups/G1012) has lured users into opening malicious files delivered via social media.(Citation: Microsoft Iranian T... |
| G0084 | Gallmaker | [Gallmaker](https://attack.mitre.org/groups/G0084) sent victims a lure document with a warning that asked victims to “enable content” for execution.(C... |
| G0081 | Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has lured victims into executing malware via malicious e-mail attachments.(Citation: Anomali P... |
| G0070 | Dark Caracal | [Dark Caracal](https://attack.mitre.org/groups/G0070) makes their malware look like Flash Player, Office, or PDF documents in order to entice a user t... |
| G1039 | RedCurl | [RedCurl](https://attack.mitre.org/groups/G1039) has used malicious files to infect the victim machines.(Citation: group-ib_redcurl1)(Citation: group-... |
| G0079 | DarkHydrus | [DarkHydrus](https://attack.mitre.org/groups/G0079) has sent malware that required users to hit the enable button in Microsoft Excel to allow an .iqy ... |
| G0068 | PLATINUM | [PLATINUM](https://attack.mitre.org/groups/G0068) has attempted to get users to open malicious files by sending spearphishing emails with attachments ... |
| G0045 | menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has attempted to get victims to open malicious files such as Windows Shortcuts (.lnk) and/or Microso... |
Associated Software (98)
| ID | Name | Type | Context |
|---|---|---|---|
| S0669 | KOCTOPUS | Malware | [KOCTOPUS](https://attack.mitre.org/software/S0669) has relied on victims clicking a malicious document for execution.(Citation: MalwareBytes LazyScri... |
| S0356 | KONNI | Malware | [KONNI](https://attack.mitre.org/software/S0356) has relied on a victim to enable malicious macros within an attachment delivered via email.(Citation:... |
| S0453 | Pony | Malware | [Pony](https://attack.mitre.org/software/S0453) has attempted to lure targets into downloading an attached executable (ZIP, RAR, or CAB archives) or d... |
| S0631 | Chaes | Malware | [Chaes](https://attack.mitre.org/software/S0631) requires the user to click on the malicious Word document to execute the next part of the attack.(Cit... |
| S1064 | SVCReady | Malware | [SVCReady](https://attack.mitre.org/software/S1064) has relied on users clicking a malicious attachment delivered through spearphishing.(Citation: HP ... |
| S0670 | WarzoneRAT | Malware | [WarzoneRAT](https://attack.mitre.org/software/S0670) has relied on a victim to open a malicious attachment within an email for execution.(Citation: C... |
| S0637 | NativeZone | Malware | [NativeZone](https://attack.mitre.org/software/S0637) can display an RTF document to the user to enable execution of [Cobalt Strike](https://attack.... |
| S0331 | Agent Tesla | Malware | [Agent Tesla](https://attack.mitre.org/software/S0331) has been executed through malicious e-mail attachments (Citation: Bitdefender Agent Tesla April... |
| S0499 | Hancitor | Malware | [Hancitor](https://attack.mitre.org/software/S0499) has used malicious Microsoft Word documents, sent via email, which prompted the victim to enable m... |
| S9031 | AshTag | Malware | [AshTag](https://attack.mitre.org/software/S9031) has been executed through victims downloading and opening malicious RAR archive files.(Citation: Pal... |
| S0428 | PoetRAT | Malware | [PoetRAT](https://attack.mitre.org/software/S0428) has used spearphishing attachments to infect victims.(Citation: Talos PoetRAT April 2020) |
| S0367 | Emotet | Malware | [Emotet](https://attack.mitre.org/software/S0367) has relied upon users clicking on a malicious attachment delivered through spearphishing.(Citation: ... |
| S0455 | Metamorfo | Malware | [Metamorfo](https://attack.mitre.org/software/S0455) requires the user to double-click the executable to run the malicious HTA file or to download a m... |
| S1026 | Mongall | Malware | [Mongall](https://attack.mitre.org/software/S1026) has relied on a user opening a malicious document for execution.(Citation: SentinelOne Aoqin Dragon... |
| S0634 | EnvyScout | Malware | [EnvyScout](https://attack.mitre.org/software/S0634) has been executed through malicious files attached to e-mails.(Citation: MSTIC Nobelium Toolset M... |
| S9026 | ROAMINGHOUSE | Malware | During [Operation AkaiRyū](https://attack.mitre.org/campaigns/C0060), [MirrorFace](https://attack.mitre.org/groups/G1054) used malicious files to drop... |
| S0013 | PlugX | Malware | [PlugX](https://attack.mitre.org/software/S0013) has leveraged an initial executable disguised as a legitimate document to trick the target into openi... |
| S0373 | Astaroth | Malware | [Astaroth](https://attack.mitre.org/software/S0373) has used malicious files including VBS, LNK, and HTML for execution.(Citation: Securelist Brazilia... |
| S0198 | NETWIRE | Malware | [NETWIRE](https://attack.mitre.org/software/S0198) has been executed through luring victims into opening malicious documents.(Citation: FireEye NETWIR... |
| S0665 | ThreatNeedle | Malware | [ThreatNeedle](https://attack.mitre.org/software/S0665) relies on a victim to click on a malicious document for initial execution.(Citation: Kaspersky... |
References
- Lawrence Abrams. (2017, July 12). PSA: Don't Open SPAM Containing Password Protected Word Docs. Retrieved January 5, 2022.
- Mandiant Intelligence. (2022, December 15). Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government. Retrieved September 26, 2025.
Frequently Asked Questions
What is T1204.002 (Malicious File)?
T1204.002 is a MITRE ATT&CK technique named 'Malicious File'. It belongs to the Execution tactic(s). An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This us...
How can T1204.002 be detected?
Detection of T1204.002 (Malicious File) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1204.002?
There are 3 documented mitigations for T1204.002. Key mitigations include: Execution Prevention, Behavior Prevention on Endpoint, User Training.
Which threat groups use T1204.002?
Known threat groups using T1204.002 include: Malteiro, APT12, Kimsuky, Machete, Elderwood, Transparent Tribe, Dragonfly, WIRTE.