The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.
View in MITRE ATT&CK®| Technique ID | Technique Name | Number of Mappings | Number of Subtechniques |
|---|---|---|---|
| T1059 | Command and Scripting Interpreter | 24 | 8 |
| T1609 | Container Administration Command | 9 | 0 |
| T1610 | Deploy Container | 9 | 0 |
| T1203 | Exploitation for Client Execution | 15 | 0 |
| T1559 | Inter-Process Communication | 19 | 2 |
| T1106 | Native API | 7 | 0 |
| T1053 | Scheduled Task/Job | 15 | 6 |
| T1129 | Shared Modules | 5 | 0 |
| T1072 | Software Deployment Tools | 24 | 0 |
| T1569 | System Services | 14 | 2 |
| T1204 | User Execution | 13 | 3 |
| T1047 | Windows Management Instrumentation | 18 | 0 |