Execution (20 techniques)
Running adversary-controlled code on a local or remote system.
The Execution tactic groups MITRE ATT&CK techniques used by adversaries to running adversary-controlled code on a local or remote system. Each technique below has its own page with detection guidance, platforms, and sub-techniques.
- T1047 — Windows Management Instrumentation Windows
- T1053 — Scheduled Task/Job Containers, ESXi, Linux, macOS, Network Devices, Windows
- T1059 — Command and Scripting Interpreter Containers, ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows
- T1072 — Software Deployment Tools Linux, macOS, Network Devices, SaaS, Windows
- T1106 — Native API Linux, macOS, Windows
- T1127 — Trusted Developer Utilities Proxy Execution Windows
- T1129 — Shared Modules Linux, macOS, Windows
- T1197 — BITS Jobs Windows
- T1203 — Exploitation for Client Execution Linux, macOS, Windows
- T1204 — User Execution Linux, Windows, macOS, IaaS, Containers
- T1559 — Inter-Process Communication Linux, macOS, Windows
- T1569 — System Services Windows, macOS, Linux
- T1574 — Hijack Execution Flow Linux, macOS, Windows
- T1609 — Container Administration Command Containers
- T1610 — Deploy Container Containers
- T1648 — Serverless Execution SaaS, IaaS, Office Suite
- T1651 — Cloud Administration Command IaaS
- T1674 — Input Injection Windows, macOS, Linux
- T1675 — ESXi Administration Command ESXi
- T1677 — Poisoned Pipeline Execution SaaS
Detection engineering training, taught by practitioners.
Learn how to build real detections across the MITRE ATT&CK framework.
View Courses