ICS Execution consists of techniques adversaries use to run malicious code on ICS devices and systems. This includes using command-line interfaces, scripting engines, APIs, and graphical interfaces to interact with programmable logic controllers (PLCs), remote terminal units (RTUs), and other control system devices.
Tactic Overview
Tactic ID: TA0104 — Matrix: ICS — Techniques: 10
The Execution tactic represents a phase in the adversary lifecycle where the adversary is trying to run code or manipulate system functions, parameters, and data in an unauthorized way. This tactic is part of the MITRE ATT&CK ICS matrix and encompasses 10 known techniques that adversaries employ during this phase of an attack.
Understanding this tactic is critical for defenders to build effective detection strategies and implement appropriate countermeasures. Organizations should map their security controls against each technique to identify coverage gaps and prioritize defensive investments.
Techniques (10)
The following techniques are categorized under the Execution tactic in the MITRE ATT&CK ICS matrix:
| Technique ID | Name | Description | MITRE Reference |
|---|---|---|---|
T0895 | Autorun Image | Adversaries use autorun images on removable media to automatically execute malicious code when inserted into ICS workstations. | T0895 |
T0858 | Change Operating Mode | Adversaries change the operating mode of PLCs or controllers to enable unauthorized program modifications or bypass protections. | T0858 |
T0807 | Command-Line Interface | Adversaries use command-line interfaces on ICS devices and engineering workstations to execute malicious commands. | T0807 |
T0871 | Execution through API | Adversaries use ICS device APIs (OPC, Modbus, DNP3) to execute unauthorized commands on controllers. | T0871 |
T0823 | Graphical User Interface | Adversaries use HMI and engineering software GUIs to interact with and modify ICS processes. | T0823 |
T0874 | Hooking | Adversaries intercept API calls and function hooks on ICS workstations to modify program behavior and escalate privileges. | T0874 |
T0821 | Modify Controller Tasking | Adversaries modify the tasks or logic running on PLCs and controllers to alter physical processes. | T0821 |
T0834 | Native API | Adversaries call native operating system APIs on ICS devices to interact directly with system functions. | T0834 |
T0853 | Scripting | Adversaries use scripting languages on ICS engineering workstations to automate malicious operations. | T0853 |
T0863 | User Execution | Adversaries rely on ICS operators or engineers to execute malicious files or programs on control system workstations. | T0863 |
Detection & Mitigation
Organizations should implement layered defenses addressing each technique within this tactic. Below are key mitigation strategies recommended by Mjolnir Security analysts.
Key Mitigations
- Application whitelisting
- Disable unnecessary scripting
- Controller access controls
- Network monitoring for ICS protocols
- Secure engineering workstations
Detection Strategies
Effective detection of Execution techniques requires a combination of log analysis, behavioral monitoring, and threat intelligence correlation. Security teams should focus on establishing baselines for normal activity and alerting on deviations that may indicate adversary behavior aligned with this tactic.
- SIEM Integration: Correlate events across multiple data sources to detect technique patterns
- Behavioral Analytics: Deploy UEBA solutions to identify anomalous activity indicative of this tactic
- Threat Hunting: Proactively search for indicators of techniques within this tactic using hypothesis-driven investigations
- Purple Teaming: Regularly test detection coverage by simulating techniques from this tactic
Associated Threat Actors
The following threat actors are known to heavily leverage techniques from the Execution tactic:
For comprehensive threat actor profiles, visit the APT Groups Hub.
Resources & References
Defend Against Execution Techniques
Mjolnir Security provides expert threat intelligence, purple team exercises, and detection engineering services to help organizations defend against adversary tactics mapped to the MITRE ATT&CK framework.
Stay updated on MITRE ATT&CK developments and threat intelligence insights.
View All Reports →Written by Mjolnir Security Research — Published March 7, 2026