The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.
View in MITRE ATT&CK®| Technique ID | Technique Name | Number of Mappings | Number of Subtechniques |
|---|---|---|---|
| T1047 | Windows Management Instrumentation | 31 | 0 |
| T1129 | Shared Modules | 8 | 0 |
| T1053 | Scheduled Task/Job | 32 | 5 |
| T1106 | Native API | 17 | 0 |
| T1610 | Deploy Container | 26 | 0 |
| T1059 | Command and Scripting Interpreter | 223 | 11 |
| T1609 | Container Administration Command | 28 | 0 |
| T1204 | User Execution | 46 | 3 |
| T1072 | Software Deployment Tools | 52 | 0 |
| T1559 | Inter-Process Communication | 30 | 3 |
| T1203 | Exploitation for Client Execution | 84 | 0 |
| T1569 | System Services | 24 | 2 |
| T1651 | Cloud Administration Command | 23 | 0 |
| T1648 | Serverless Execution | 16 | 0 |