4. Execution
Execution (TA0002)
Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Network Service Scanning.
Techniques Overview
- Command and Scripting Interpreter: PowerShell, Bash, Python.
- User Execution: Tricking the user into running malicious code (Macros, LNKs).
- Container Administration Command: Executing code inside Docker/K8s.
- Scheduled Task/Job: (See Persistence).
Strategy
Execution is the "How". "How do I run my tool?"
- Constraint: EDR blocks
powershell.exe. - Bypass: Use
PowerShell.System.Automation.dllvia C# (Unmanaged PowerShell).
Section Contents
-
Command and Scripting Interpreter
Abusing built-in command shells (PowerShell, Bash) to execute malicious code. Downgrade attacks and logging bypasses.
-
Container and Cloud Execution
Executing malicious code in containerized (Docker/K8s) or cloud environments (Serverless).
-
Inter-Process Communication
Abusing mechanisms that allow processes to talk to each other to execute code (COM, DDE).
-
User Execution
Techniques that rely on specific user actions to execute malicious code.
