We welcome your feedback about MITRE Engage™ v0.9 Beta: Email us at engage@mitre.org

Detonate Malware

Execute malware under controlled conditions to analyze its functionality.

Malware can be detonated in a controlled and safe environment. Clear goals and safety procedures should always be established before detonation to ensure that the operation is focused and safe. The malware can be detonated in an execution environment ranging from a somewhat sterile commercial malware execution appliance to a bespoke engagement environment crafted to support an extended engagement.

Outcomes of a malware detonation operation can include new IOCs collected during dynamic analysis, additional TTPs elicited by detonating the malware in a target rich environment, and/or negative impacts to the adversary and their operation. These outcomes can be used to produce new analytics for high-fidelity analytics.

ID: EAC0013
Type:  Engagement 
Goals:  Expose Affect Elicit
Approaches:  Detection Direction Motivation
Whenever an adversary interacts with the environment, their actions reveal vulnerabilities. Defenders can utilize engagement activities to take advantage of such weaknesses.

The following table lists the adversary tactics on the left and the revealed vulnerability on the right that can be exploited by the defender using Detonate Malware.

ATT&CK® Tactics Adversary Vulnerability Presented
Defense Evasion Execution When adversaries’ malware is detonated, they are vulnerable to dynamic analysis, which can reveal how the malware interacts with system resources.
Execution Command and Control Defense Evasion Impact When adversaries’ malware is detonated, they may be encouraged to operate in an unintended environment.
Command and Control When adversaries discover a diverse set of accessible resources and decoy artifacts on the target, they are vulnerable to revealing their targeting preferences and capabilities.