Execution (20 techniques)
Running adversary-controlled code on a local or remote system.
The Execution tactic groups MITRE ATT&CK techniques used by adversaries torunning adversary-controlled code on a local or remote system. Each technique below has its own page with detection guidance, platforms, and sub-techniques.
- T1047 — Windows Management InstrumentationWindows
- T1053 — Scheduled Task/JobContainers, ESXi, Linux, macOS, Network Devices, Windows
- T1059 — Command and Scripting InterpreterContainers, ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows
- T1072 — Software Deployment ToolsLinux, macOS, Network Devices, SaaS, Windows
- T1106 — Native APILinux, macOS, Windows
- T1127 — Trusted Developer Utilities Proxy ExecutionWindows
- T1129 — Shared ModulesLinux, macOS, Windows
- T1197 — BITS JobsWindows
- T1203 — Exploitation for Client ExecutionLinux, macOS, Windows
- T1204 — User ExecutionLinux, Windows, macOS, IaaS, Containers
- T1559 — Inter-Process CommunicationLinux, macOS, Windows
- T1569 — System ServicesWindows, macOS, Linux
- T1574 — Hijack Execution FlowLinux, macOS, Windows
- T1609 — Container Administration CommandContainers
- T1610 — Deploy ContainerContainers
- T1648 — Serverless ExecutionSaaS, IaaS, Office Suite
- T1651 — Cloud Administration CommandIaaS
- T1674 — Input InjectionWindows, macOS, Linux
- T1675 — ESXi Administration CommandESXi
- T1677 — Poisoned Pipeline ExecutionSaaS
Detection engineering training, taught by practitioners.
Learn how to build real detections across the MITRE ATT&CK framework.
View Courses