Loading AttackTrace...
ATT&CK tactic
64 techniques mapped to this tactic.
Windows Management Instrumentation (T1047) is a MITRE ATT&CK technique associated with Execution . Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads.
Scheduled Task/Job (T1053) is a MITRE ATT&CK technique associated with Execution, Persistence, Privilege Escalation . Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.
At (T1053.002) is a MITRE ATT&CK technique associated with Execution, Persistence, Privilege Escalation . Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code.
Cron (T1053.003) is a MITRE ATT&CK technique associated with Execution, Persistence, Privilege Escalation . Adversaries may abuse the <code cron</code utility to perform task scheduling for initial or recurring execution of malicious code. The <code cron</code utility is a tim…
Scheduled Task (T1053.005) is a MITRE ATT&CK technique associated with Execution, Persistence, Privilege Escalation . Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code.
Systemd Timers (T1053.006) is a MITRE ATT&CK technique associated with Execution, Persistence, Privilege Escalation . Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code.
Container Orchestration Job (T1053.007) is a MITRE ATT&CK technique associated with Execution, Persistence, Privilege Escalation . Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of contain…
Command and Scripting Interpreter (T1059) is a MITRE ATT&CK technique associated with Execution . Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
PowerShell is a Windows automation and configuration environment built on .NET. Adversaries abuse it for execution, discovery, download, credential access, and administration because it is widely installed and can interact with operating system and cloud APIs. PowerShell use i…
AppleScript (T1059.002) is a MITRE ATT&CK technique associated with Execution . Adversaries may abuse AppleScript for execution.
Windows Command Shell (T1059.003) is a MITRE ATT&CK technique associated with Execution . Adversaries may abuse the Windows command shell for execution.
Unix Shell (T1059.004) is a MITRE ATT&CK technique associated with Execution . Adversaries may abuse Unix shell commands and scripts for execution.
Visual Basic (T1059.005) is a MITRE ATT&CK technique associated with Execution . Adversaries may abuse Visual Basic (VB) for execution.
Python (T1059.006) is a MITRE ATT&CK technique associated with Execution . Adversaries may abuse Python commands and scripts for execution.
JavaScript (T1059.007) is a MITRE ATT&CK technique associated with Execution . Adversaries may abuse various implementations of JavaScript for execution.
Network Device CLI (T1059.008) is a MITRE ATT&CK technique associated with Execution . Adversaries may abuse scripting or built in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Cloud API (T1059.009) is a MITRE ATT&CK technique associated with Execution . Adversaries may abuse cloud APIs to execute malicious commands.
AutoHotKey & AutoIT (T1059.010) is a MITRE ATT&CK technique associated with Execution . Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts.
Lua (T1059.011) is a MITRE ATT&CK technique associated with Execution . Adversaries may abuse Lua commands and scripts for execution.
Hypervisor CLI (T1059.012) is a MITRE ATT&CK technique associated with Execution . Adversaries may abuse hypervisor command line interpreters (CLIs) to execute malicious commands.
Container CLI/API (T1059.013) is a MITRE ATT&CK technique associated with Execution . Adversaries may abuse built in CLI tools or API calls to execute malicious commands in containerized environments.
Software Deployment Tools (T1072) is a MITRE ATT&CK technique associated with Execution, Lateral Movement . Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network.
Native API (T1106) is a MITRE ATT&CK technique associated with Execution . Adversaries may interact with the native OS application programming interface (API) to execute behaviors.
Trusted Developer Utilities Proxy Execution (T1127) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads.
MSBuild (T1127.001) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility.
ClickOnce (T1127.002) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may use ClickOnce applications (.appref ms and .application files) to proxy execution of code through a trusted Windows utility. ClickOnce is a deployment that enables a user to…
JamPlus (T1127.003) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may use JamPlus to proxy the execution of a malicious script.
Shared Modules (T1129) is a MITRE ATT&CK technique associated with Execution . Adversaries may execute malicious payloads via loading shared modules.
BITS Jobs (T1197) is a MITRE ATT&CK technique associated with Stealth, Persistence, Execution . Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks.
Exploitation for Client Execution (T1203) is a MITRE ATT&CK technique associated with Execution . Adversaries may exploit software vulnerabilities in client applications to execute code.
User Execution (T1204) is a MITRE ATT&CK technique associated with Execution . An adversary may rely upon specific actions by a user in order to gain execution.
Malicious Link (T1204.001) is a MITRE ATT&CK technique associated with Execution . An adversary may rely upon a user clicking a malicious link in order to gain execution.
Malicious File (T1204.002) is a MITRE ATT&CK technique associated with Execution . An adversary may rely upon a user opening a malicious file in order to gain execution.
Malicious Image (T1204.003) is a MITRE ATT&CK technique associated with Execution . Adversaries may rely on a user running a malicious image to facilitate execution.
Malicious Copy and Paste (T1204.004) is a MITRE ATT&CK technique associated with Execution . An adversary may rely upon a user copying and pasting code in order to gain execution.
Malicious Library (T1204.005) is a MITRE ATT&CK technique associated with Execution . Adversaries may rely on a user installing a malicious library to facilitate execution.
Inter Process Communication (T1559) is a MITRE ATT&CK technique associated with Execution . Adversaries may abuse inter process communication (IPC) mechanisms for local code or command execution.
Component Object Model (T1559.001) is a MITRE ATT&CK technique associated with Execution . Adversaries may use the Windows Component Object Model (COM) for local code execution.
Dynamic Data Exchange (T1559.002) is a MITRE ATT&CK technique associated with Execution . Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands.
XPC Services (T1559.003) is a MITRE ATT&CK technique associated with Execution . Adversaries can provide malicious content to an XPC service daemon for local code execution.
System Services (T1569) is a MITRE ATT&CK technique associated with Execution . Adversaries may abuse system services or daemons to execute commands or programs.
Launchctl (T1569.001) is a MITRE ATT&CK technique associated with Execution . Adversaries may abuse launchctl to execute commands or programs.
Service Execution (T1569.002) is a MITRE ATT&CK technique associated with Execution . Adversaries may abuse the Windows service control manager to execute malicious commands or payloads.
Systemctl (T1569.003) is a MITRE ATT&CK technique associated with Execution . Adversaries may abuse systemctl to execute commands or programs.
Hijack Execution Flow (T1574) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs.
DLL (T1574.001) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may abuse dynamic link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses.
Dylib Hijacking (T1574.004) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime.
Executable Installer File Permissions Weakness (T1574.005) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer.
Dynamic Linker Hijacking (T1574.006) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries.
Path Interception by PATH Environment Variable (T1574.007) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries.
Path Interception by Search Order Hijacking (T1574.008) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs.
Path Interception by Unquoted Path (T1574.009) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
Services File Permissions Weakness (T1574.010) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may execute their own malicious payloads by hijacking the binaries used by services.
Services Registry Permissions Weakness (T1574.011) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
COR PROFILER (T1574.012) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may leverage the COR PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.
KernelCallbackTable (T1574.013) is a MITRE ATT&CK technique associated with Stealth, Execution . An adversary may hijack the execution flow of a process using the <code KernelCallbackTable</code by replacing an original callback function with a malicious payload.
AppDomainManager (T1574.014) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may execute their own malicious payloads by hijacking how the .NET AppDomainManager loads assemblies.
Container Administration Command (T1609) is a MITRE ATT&CK technique associated with Execution . Adversaries may abuse a container administration service to execute commands within a container.
Deploy Container (T1610) is a MITRE ATT&CK technique associated with Execution . Adversaries may deploy a container into an environment to facilitate execution or evade defenses.
Serverless Execution (T1648) is a MITRE ATT&CK technique associated with Execution . Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments.
Cloud Administration Command (T1651) is a MITRE ATT&CK technique associated with Execution . Adversaries may abuse cloud management services to execute commands within virtual machines.
Input Injection (T1674) is a MITRE ATT&CK technique associated with Execution . Adversaries may simulate keystrokes on a victim’s computer by various means to perform any type of action on behalf of the user, such as launching the command interpreter using keyboard shortcuts…
ESXi Administration Command (T1675) is a MITRE ATT&CK technique associated with Execution . Adversaries may abuse ESXi administration services to execute commands on guest machines hosted within an ESXi virtual environment.
Poisoned Pipeline Execution (T1677) is a MITRE ATT&CK technique associated with Execution . Adversaries may manipulate continuous integration / continuous development (CI/CD) processes by injecting malicious code into the build process.