Execution (20 techniques)
Running adversary-controlled code on a local or remote system.
The Execution tactic groups MITRE ATT&CK techniques used by adversaries torunning adversary-controlled code on a local or remote system. Each technique below has its own page with detection guidance, platforms, and sub-techniques.
- T1047 - Windows Management InstrumentationWindows
- T1053 - Scheduled Task/JobContainers, ESXi, Linux, macOS, Network Devices, Windows
- T1059 - Command and Scripting InterpreterContainers, ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows
- T1072 - Software Deployment ToolsLinux, macOS, Network Devices, SaaS, Windows
- T1106 - Native APILinux, macOS, Windows
- T1127 - Trusted Developer Utilities Proxy ExecutionWindows
- T1129 - Shared ModulesLinux, macOS, Windows
- T1197 - BITS JobsWindows
- T1203 - Exploitation for Client ExecutionLinux, macOS, Windows
- T1204 - User ExecutionLinux, Windows, macOS, IaaS, Containers
- T1559 - Inter-Process CommunicationLinux, macOS, Windows
- T1569 - System ServicesWindows, macOS, Linux
- T1574 - Hijack Execution FlowLinux, macOS, Windows
- T1609 - Container Administration CommandContainers
- T1610 - Deploy ContainerContainers
- T1648 - Serverless ExecutionSaaS, IaaS, Office Suite
- T1651 - Cloud Administration CommandIaaS
- T1674 - Input InjectionWindows, macOS, Linux
- T1675 - ESXi Administration CommandESXi
- T1677 - Poisoned Pipeline ExecutionSaaS
Detection engineering training, taught by practitioners.
Learn how to build real detections across the MITRE ATT&CK framework.
View Courses