Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.
Tactic Overview
Tactic ID: TA0002 — Matrix: Enterprise — Techniques: 17
The Execution tactic represents a phase in the adversary lifecycle where the adversary is trying to run malicious code. This tactic is part of the MITRE ATT&CK Enterprise matrix and encompasses 17 known techniques that adversaries employ during this phase of an attack.
Understanding this tactic is critical for defenders to build effective detection strategies and implement appropriate countermeasures. Organizations should map their security controls against each technique to identify coverage gaps and prioritize defensive investments.
Techniques (17)
The following techniques are categorized under the Execution tactic in the MITRE ATT&CK Enterprise matrix:
| Technique ID | Name | Description | MITRE Reference |
|---|---|---|---|
T1651 | Cloud Administration Command | Adversaries abuse cloud management services and APIs to execute commands on cloud-hosted virtual machines. | T1651 |
T1059 | Command and Scripting Interpreter (13 sub-techniques) | Adversaries abuse command interpreters (PowerShell, cmd, bash, Python) to execute malicious commands. The most widely used execution technique across threat actors including APT28, APT32, APT41, FIN7, and Turla. | T1059 |
T1609 | Container Administration Command | Adversaries execute commands within containers using tools like kubectl exec or Docker CLI to run malicious payloads. | T1609 |
T1610 | Deploy Container | Adversaries deploy malicious containers to execute code, bypass security controls, and establish persistence in container environments. | T1610 |
T1675 | ESXi Administration Command | Adversaries use ESXi administrative commands and scripts to execute malicious operations on hypervisor hosts. | T1675 |
T1203 | Exploitation for Client Execution | Adversaries exploit software vulnerabilities in client applications like browsers, Office, and PDF readers to execute code on target systems. | T1203 |
T1674 | Input Injection | Adversaries inject input events to interact with applications and execute commands as if from a legitimate user. | T1674 |
T1559 | Inter-Process Communication (3 sub-techniques) | Adversaries abuse IPC mechanisms like COM, DDE, and XPC to execute code within other processes. | T1559 |
T1106 | Native API | Adversaries interact directly with the native OS API (Win32, POSIX, macOS APIs) to execute behaviors that may evade high-level monitoring. | T1106 |
T1677 | Poisoned Pipeline Execution | Adversaries inject malicious code into CI/CD pipeline definitions to execute code within build environments. | T1677 |
T1053 | Scheduled Task/Job (5 sub-techniques) | Adversaries abuse task scheduling (schtasks, cron, systemd timers) to execute malicious code at system startup or on recurring schedules for persistence and privilege escalation. | T1053 |
T1648 | Serverless Execution | Adversaries abuse serverless computing functions (AWS Lambda, Azure Functions) to execute malicious code in cloud environments. | T1648 |
T1129 | Shared Modules | Adversaries execute malicious payloads via loading shared modules such as DLLs or shared libraries. | T1129 |
T1072 | Software Deployment Tools | Adversaries abuse enterprise software deployment tools like SCCM, Altiris, or Ansible to execute code across an environment. | T1072 |
T1569 | System Services (3 sub-techniques) | Adversaries abuse system services (launchctl, service execution, systemctl) to execute malicious payloads with elevated privileges. | T1569 |
T1204 | User Execution (5 sub-techniques) | Adversaries rely on user interaction to execute malicious payloads, such as opening attachments, clicking links, or running malicious images. | T1204 |
T1047 | Windows Management Instrumentation | Adversaries abuse WMI to execute commands, deploy malware, and gather information across networked Windows systems. | T1047 |
Key Technique Deep Dives
The following techniques are among the most commonly observed in real-world attacks within this tactic:
Real-World Usage
- APT32: Used COM scriptlets to deploy Cobalt Strike beacons
- FIN7: SQL scripts for victim machine tasks
- APT39: Custom scripts for internal reconnaissance
- Dragonfly: Command line for execution across ICS targets
- Stealth Falcon: WMI scripting for data collection and command execution
Key Mitigations
- M1042 - Disable or Remove Feature: Disable unnecessary shells and interpreters
- M1038 - Execution Prevention: Apply PowerShell Constrained Language mode
- M1045 - Code Signing: Permit execution of signed scripts only
- M1026 - Privileged Account Management: Restrict PowerShell execution to admins
Detection & Mitigation
Organizations should implement layered defenses addressing each technique within this tactic. Below are key mitigation strategies recommended by Mjolnir Security analysts.
Key Mitigations
- Application whitelisting
- PowerShell constrained language mode
- Disable unused scripting engines
- Code signing enforcement
- Endpoint Detection and Response (EDR)
Detection Strategies
Effective detection of Execution techniques requires a combination of log analysis, behavioral monitoring, and threat intelligence correlation. Security teams should focus on establishing baselines for normal activity and alerting on deviations that may indicate adversary behavior aligned with this tactic.
- SIEM Integration: Correlate events across multiple data sources to detect technique patterns
- Behavioral Analytics: Deploy UEBA solutions to identify anomalous activity indicative of this tactic
- Threat Hunting: Proactively search for indicators of techniques within this tactic using hypothesis-driven investigations
- Purple Teaming: Regularly test detection coverage by simulating techniques from this tactic
Associated Threat Actors
The following threat actors are known to heavily leverage techniques from the Execution tactic:
For comprehensive threat actor profiles, visit the APT Groups Hub.
Resources & References
Defend Against Execution Techniques
Mjolnir Security provides expert threat intelligence, purple team exercises, and detection engineering services to help organizations defend against adversary tactics mapped to the MITRE ATT&CK framework.
Stay updated on MITRE ATT&CK developments and threat intelligence insights.
View All Reports →Written by Mjolnir Security Research — Published March 7, 2026