Execution

The adversary is trying to run malicious code.

Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.

Most of these techniques do not require a Tool but just access and Native Tools from the Windows Machine itself one of the reasons we want to use Execution on Windows-Signed Binaries is to mainly avoid detection or:

Avoid creating new processes/network connections
Avoid creating anomalous parent/child relationships
Avoid creating/modifying files/registry entries
Avoid creating memory anomalies
Avoid leaving evidence in log files

PreviousT1199: Trusted Relationship NextT1047:Windows Management Instrumentation

Last updated 3 years ago