Execution (TA0002)

The Attacker's Critical Ignition Phase & Complete Defense Guide

Introduction: The Moment of Ignition

Execution is the tactic where adversaries run their malicious code on a victim system to accomplish their objectives. In plain English, this is the moment when the attacker's dormant payload springs to life and starts doing damage.

This tactic represents a critical turning point in the cyber kill chain. Once an attacker achieves Initial Access by getting malware onto your system, nothing happens until they cross the Execution threshold. Without successful code execution, ransomware can't encrypt files, banking trojans can't steal credentials, and advanced persistent threats can't establish persistence. If defenders can block execution, the attack chain breaks immediately, preventing potentially catastrophic damage.

Think of it this way: gaining access is like planting a bomb, but Execution is lighting the fuse. The difference between a neutralized threat and a full-scale breach often comes down to whether adversaries can successfully execute their code.

The Core Analogy: The Demolition Expert

Vocabulary Decoder Ring

• PowerShell: A powerful Windows scripting language and command-line shell that administrators use for automation. Why it matters here: Attackers love PowerShell because it's pre-installed on Windows systems, highly capable, and can execute code directly from memory without touching the disk, making detection harder.
• Windows Management Instrumentation (WMI): A Windows administration framework that allows remote management and automation of system tasks. Why it matters here: Adversaries abuse WMI to execute commands remotely and persistently, often bypassing traditional security controls because it's a trusted system component.
• Scheduled Tasks: Built-in Windows and Linux functionality that allows programs to run automatically at specific times or under certain conditions. Why it matters here: Attackers create malicious scheduled tasks to execute their payloads at predetermined times, ensuring code runs even after system reboots.
• Living-Off-The-Land Binaries (LOLBins): Legitimate system utilities that attackers repurpose for malicious execution. Why it matters here: Using trusted system tools like cmd.exe, regsvr32.exe, or mshta.exe helps adversaries evade detection since security tools typically whitelist these binaries.
• Fileless Execution: Running malicious code directly in memory without writing files to disk. Why it matters here: This technique bypasses traditional antivirus solutions that scan files on disk, making the malware significantly harder to detect and analyze.

The Attacker's Playbook (Red Team View)

Red Team Analogy: Choosing the Right Detonator

As the demolition expert in our analogy, the attacker has carefully positioned their explosives and now faces a critical decision: which trigger mechanism offers the best chance of success? They evaluate each option against the building's security measures. Is there a guard monitoring radio frequencies? Then radio detonation is too risky. Are inspectors checking for suspicious timers? That option is eliminated.

The expert looks for the path of least resistance perhaps disguising their trigger inside a routine maintenance procedure that happens daily, or using a remote method that blends with normal building operations. They want the detonation to happen before anyone realizes what's occurring, giving them maximum impact with minimum detection risk.

Common Execution Techniques

• T1059 - Command and Scripting Interpreter: Attackers abuse command-line interfaces and scripting engines like PowerShell, Python, JavaScript, or Bash to execute malicious code with the flexibility of full programming languages.
• T1053 - Scheduled Task/Job: Adversaries create scheduled tasks or cron jobs to execute payloads automatically at specific times, ensuring persistence and delayed execution that may evade immediate detection.
• T1047 - Windows Management Instrumentation: Threat actors leverage WMI to execute commands locally or remotely, often to maintain stealth since WMI is a legitimate Windows management tool trusted by most security solutions.
• T1204 - User Execution: Attackers trick users into running malicious files through phishing emails, malicious links, or social engineering, leveraging human trust as the execution trigger.
• T1106 - Native API: Advanced adversaries directly call Windows Native APIs to execute code, bypassing higher-level APIs that security tools typically monitor, providing stealth and flexibility.

Attacker's Toolbox

• PowerShell Empire / Covenant: Post-exploitation frameworks that heavily utilize PowerShell for stealthy execution, allowing attackers to run commands directly in memory and evade disk-based detection.
• Cobalt Strike: A commercial penetration testing tool frequently abused by threat actors, offering sophisticated execution capabilities including process injection, in-memory execution, and beacon payloads.
• Metasploit Framework: An open-source exploitation platform providing numerous execution modules, allowing attackers to run payloads through various techniques from scripting interpreters to service creation.

Command-Line Glimpse: PowerShell Execution

This technique is devastating because the malicious code never touches the disk, making it invisible to traditional antivirus that scans files. The encoded command obscures the true intent from basic monitoring tools.

The Defender's Handbook (Blue Team View)

Blue Team Analogy: Monitoring All Ignition Points

As the building safety inspector, you understand that explosives may already be hidden throughout the structure. Your mission isn't to find every hidden charge that's nearly impossible. Instead, you focus on monitoring every possible way someone could trigger a detonation. You install sensors on electrical systems, monitor radio frequencies, watch for unauthorized access to control panels, and train your team to recognize suspicious behavior near critical infrastructure.

You know that preventing ignition is your last line of defense. If you can detect and stop the trigger mechanism, the threat is neutralized regardless of how much explosive material is present. Every suspicious signal, every unauthorized access attempt, every anomalous pattern could be the moment someone tries to light the fuse.

SOC Reality Check: What Analysts Actually See

Threat Hunter's Eye: A Specific Hunt Hypothesis

Hunt Hypothesis: "Identify instances where scripting interpreters (PowerShell, cmd.exe, wscript.exe) are spawned by unexpected parent processes, particularly productivity applications like Microsoft Office, Adobe Reader, or browsers, which may indicate document-based malware executing payloads."

Look for anomalous parent-child process relationships using Windows Event ID 4688 with command-line logging enabled, or EDR telemetry showing process trees. Pay special attention to executions that include obfuscation techniques like encoding, concatenation, or environment variable abuse. This hunt often uncovers phishing campaigns leveraging malicious macros or embedded objects.

Defensive Tools

• Endpoint Detection and Response (EDR) Platforms: Solutions like CrowdStrike Falcon, Microsoft Defender for Endpoint, or SentinelOne provide real-time monitoring of process execution, script behavior, and in-memory activities with behavioral analytics.
• Application Whitelisting / Application Control: Technologies like Windows AppLocker or Carbon Black App Control enforce strict policies about which applications can execute, blocking unauthorized code at the execution stage.
• SIEM with Execution-Focused Detection Rules: Splunk, Elastic SIEM, or Azure Sentinel configured with correlation rules detecting suspicious execution patterns across Windows Event Logs, Sysmon, and PowerShell logging.

Blue Team Command: PowerShell Detection Query

Real-World Example: Emotet's Execution Chain

The Emotet banking trojan provides a perfect case study of sophisticated Execution techniques. Between 2018-2021, Emotet was one of the most prolific malware families, responsible for hundreds of millions of dollars in damage worldwide before being dismantled by law enforcement in Operation LadyBird.

Emotet's operators used phishing emails containing malicious Microsoft Office documents. When victims opened these documents and enabled macros (User Execution - T1204), the embedded VBA macro executed PowerShell commands. These commands used the Command and Scripting Interpreter technique (T1059.001) to download additional payloads from compromised websites.

In the Emotet campaigns, the threat group used Execution when they triggered PowerShell downloads from Word macros. This allowed them to establish initial footholds, download additional modules, steal credentials, and deliver secondary payloads like Trickbot and ransomware to victim organizations.

The execution chain typically looked like this: WINWORD.EXE → powershell.exe -EncodedCommand [Base64] → Download second-stage DLL → regsvr32.exe loads malicious DLL. Each step leveraged legitimate system utilities, making detection challenging for organizations without proper monitoring of execution behaviors.

Mapping the MITRE Landscape

The MITRE ATT&CK framework catalogs twelve primary techniques under the Execution tactic. Below is a curated selection of the most commonly observed techniques in real-world incidents. Each technique contains multiple sub-techniques providing specific implementation details those deeper dives will be covered in future dedicated posts.

This represents a high-level overview of the Execution landscape. Each technique branches into specific sub-techniques for example, T1059 includes PowerShell (.001), Python (.006), JavaScript (.007), and many others. Future posts will provide comprehensive analyses of individual techniques with detection strategies and mitigation guidance.

Key Takeaways & Immediate Actions

Further Learning & References

• MITRE ATT&CK Execution Tactic (TA0002): https://attack.mitre.org/tactics/TA0002/
  The authoritative source for all Execution techniques, sub-techniques, and procedure examples from real threat groups. Essential reading for understanding the complete execution landscape.
• Picus Security: Top Ransomware Attack Techniques: https://www.picussecurity.com/resource/blog/top-5-ransomware-attack-techniques
  Detailed analysis of how ransomware families leverage execution techniques, with practical mitigation strategies for defenders.
• CISA: PowerShell Execution Policy Bypass: Alerts and guidance on detecting and preventing PowerShell-based execution attacks that bypass security controls. Check CISA.gov for latest advisories.
• Understanding Initial Access Tactics: Before adversaries can execute code, they must gain initial access. Explore how attackers breach perimeter defenses through phishing, exploits, and supply chain compromises
  the critical prerequisite to Execution.
• Next Step: Persistence Tactics: After successful execution, attackers immediately work to maintain their foothold. Learn how adversaries establish persistence mechanisms ensuring their malware survives reboots and remains operational long-term.

Understanding Execution is the foundation for stopping modern cyber threats. By mastering detection at this critical ignition point, defenders gain their most powerful opportunity to break the attack chain before damage occurs.