执行攻击
攻击者正在尝试运行恶意代码。
执行包括导致对手控制的代码在本地或远程系统上运行的技术。运行恶意代码的技术通常与所有其他策略的技术相结合,以实现更广泛的目标,例如探索网络或窃取数据。例如,攻击者可能使用远程访问工具来运行执行远程系统发现的 PowerShell 脚本。
技术: 14
| 编号 | 名字 | 描述 | |
|---|---|---|---|
| T1651 | 云管理命令 | 攻击者可能会滥用云管理服务在虚拟机或混合加入的设备中执行命令。AWS Systems Manager、Azure RunCommand 和 Runbooks 等资源允许用户利用已安装的虚拟机代理在虚拟机中远程运行脚本。同样,在 Azure AD 环境中,Microsoft终结点管理器允许全局管理员或 Intune 管理员在加入 Azure AD 的本地设备上以 SYSTEM 的形式运行脚本。 | |
| T1059 | 命令和脚本解释器 | 攻击者可能会滥用命令和脚本解释器来执行命令、脚本或二进制文件。这些接口和语言提供了与计算机系统交互的方式,并且是许多不同平台的共同功能。大多数系统都带有一些内置的命令行界面和脚本功能,例如,macOS和Linux发行版包括一些Unix Shell,而Windows安装包括Windows Command Shell和PowerShell。 | |
| .001 | PowerShell | 攻击者可能会滥用 PowerShell 命令和脚本来执行。PowerShell是Windows操作系统中包含的功能强大的交互式命令行界面和脚本环境。攻击者可以使用 PowerShell 执行许多操作,包括发现信息和执行代码。示例包括可用于运行可执行文件的 cmdlet 和在本地或远程计算机上运行命令的 cmdlet(尽管使用 PowerShell 连接到远程系统需要管理员权限)。Start-Process``Invoke-Command |
|
| .002 | AppleScript | 攻击者可能会滥用 AppleScript 来执行。AppleScript 是一种 macOS 脚本语言,旨在通过称为 AppleEvents 的应用程序间消息来控制应用程序和操作系统的某些部分。这些 AppleEvent 消息可以独立发送,也可以使用 AppleScript 轻松编写脚本。这些事件可以查找打开的窗口、发送击键以及与本地或远程的几乎任何打开的应用程序进行交互。 | |
| .003 | Windows Command Shell | 攻击者可能会滥用 Windows 命令外壳来执行。Windows 命令外壳 (cmd) 是 Windows 系统上的主要命令提示符。Windows 命令提示符可用于控制系统的几乎任何方面,不同的命令子集需要不同的权限级别。可以通过远程服务(如 SSH)远程调用命令提示符。 | |
| .004 | Unix Shell | 攻击者可能会滥用 Unix shell 命令和脚本来执行。Unix shell是Linux和macOS系统上的主要命令提示符,尽管Unix shell存在许多变体(例如.sh,bash,zsh等),具体取决于特定的操作系统或发行版。Unix shell可以控制系统的各个方面,某些命令需要提升的权限。 | |
| .005 | Visual Basic | 攻击者可能会滥用 Visual Basic (VB) 来执行。VB是由Microsoft创建的编程语言,具有与许多Windows技术的互操作性,例如组件对象模型和通过Windows API的本机API。虽然VB被标记为遗留版,没有计划的未来发展,但在.NET Framework和跨平台.NET Core中集成和支持VB。 | |
| .006 | Python | 攻击者可能会滥用 Python 命令和脚本来执行。Python是一种非常流行的脚本/编程语言,具有执行许多功能的能力。Python可以从命令行(通过解释器)或通过脚本(.py)交互执行,这些脚本可以编写并分发到不同的系统。Python 代码也可以编译成二进制可执行文件。python.exe |
|
| .007 | JavaScript | 攻击者可能会滥用 JavaScript 的各种实现来执行。JavaScript(JS)是一种独立于平台的脚本语言(在运行时实时编译),通常与网页中的脚本相关联,尽管JS可以在浏览器之外的运行时环境中执行。 | |
| .008 | 网络设备 CLI | 攻击者可能会滥用网络设备上的脚本或内置命令行解释器 (CLI) 来执行恶意命令和有效负载。CLI 是用户和管理员与设备交互以查看系统信息、修改设备操作或执行诊断和管理功能的主要方式。CLI 通常包含不同命令所需的各种权限级别。 | |
| .009 | 云接口 | 攻击者可能会滥用云 API 来执行恶意命令。云环境中可用的 API 提供各种功能,是一种功能丰富的方法,用于以编程方式访问租户的几乎所有方面。这些 API 可以通过各种方法使用,例如命令行解释器 (CLI)、浏览器内云外壳、PowerShell 模块(如 Azure for PowerShell)或可用于 Python 等语言的软件开发人员工具包 (SDK)。 | |
| T1609 | 容器管理命令 | 攻击者可能会滥用容器管理服务在容器内执行命令。容器管理服务(如 Docker 守护进程、Kubernetes API 服务器或 kubelet)可能允许远程管理环境中的容器。 | |
| T1610 | 部署容器 | 攻击者可能会将容器部署到环境中,以方便执行或规避防御。在某些情况下,攻击者可能会部署新容器来执行与特定映像或部署关联的进程,例如执行或下载恶意软件的进程。在其他情况下,攻击者可能会部署在没有网络规则、用户限制等的情况下配置的新容器。绕过环境中的现有防御。 | |
| T1203 | 利用客户端执行 | 攻击者可以利用客户端应用程序中的软件漏洞来执行代码。由于不安全的编码实践,软件中可能存在漏洞,这可能导致意外行为。攻击者可以通过有针对性地利用某些漏洞来执行任意代码。通常,攻击性工具包最有价值的漏洞是那些可用于在远程系统上获取代码执行的漏洞,因为它们可用于访问该系统。用户将期望看到与他们通常用于工作的应用程序相关的文件,因此由于它们的高实用性,它们是利用研究和开发的有用目标。 | |
| T1559 | 进程间通信 | 攻击者可能会滥用进程间通信 (IPC) 机制来执行本地代码或命令。进程通常使用 IPC 来共享数据、相互通信或同步执行。IPC 还常用于避免死锁等情况,当进程停滞在循环等待模式中时,就会发生死锁。 | |
| .001 | 组件对象模型 | 攻击者可以使用 Windows 组件对象模型 (COM) 执行本地代码。COM 是本机 Windows 应用程序编程接口 (API) 的进程间通信 (IPC) 组件,它支持软件对象或实现一个或多个接口的可执行代码之间的交互。通过 COM,客户端对象可以调用服务器对象的方法,这些对象通常是二进制动态链接库 (DLL) 或可执行文件 (EXE)。远程 COM 执行由分布式组件对象模型 (DCOM) 等远程服务提供便利。 | |
| .002 | 动态数据交换 | 攻击者可以使用 Windows 动态数据交换 (DDE) 来执行任意命令。DDE 是一种客户端-服务器协议,用于应用程序之间的一次性和/或连续进程间通信 (IPC)。建立链接后,应用程序可以自主交换由字符串、暖数据链接(数据项更改时的通知)、热数据链接(对数据项的更改重复)和命令执行请求组成的事务。 | |
| .003 | XPC Services | 攻击者可以向 XPC 服务守护程序提供恶意内容以进行本地代码执行。macOS 使用 XPC 服务在各种进程之间进行基本的进程间通信,例如 XPC 服务守护程序与第三方应用程序特权帮助程序工具之间的通信。应用程序可以使用低级别 XPC 服务或高级别将消息发送到以 root 身份运行的 XPC 服务守护程序,以便处理需要提升权限(如网络连接)的任务。应用程序负责提供协议定义,该协议定义用作XPC服务的蓝图。开发人员通常使用 XPC 服务在应用程序客户端和守护程序之间提供应用程序稳定性和权限分离。C API``NSXPCConnection API |
|
| T1106 | 原生接口 | 攻击者可以与本机操作系统应用程序编程接口 (API) 交互以执行行为。本机 API 提供了一种在内核中调用低级别操作系统服务的受控方法,例如涉及硬件/设备、内存和进程的服务。操作系统在系统启动期间(当其他系统组件尚未初始化时)以及在例行操作期间执行任务和请求时利用这些本机 API。 | |
| T1053 | 计划任务/作业 | 攻击者可能会滥用任务计划功能来促进恶意代码的初始或重复执行。所有主要操作系统中都存在实用程序,用于安排在指定日期和时间执行的程序或脚本。如果满足正确的身份验证(例如:Windows 环境中的 RPC 以及文件和打印机共享),也可以在远程系统上计划任务。在远程系统上计划任务通常需要成为远程系统上的管理员或其他特权组的成员。 | |
| .002 | At | 攻击者可能会滥用 at 实用程序来执行任务调度,以便初始或重复执行恶意代码。at 实用程序作为可执行文件存在于 Windows、Linux 和 macOS 中,用于在指定的时间和日期安排任务。尽管在 Windows 环境中已弃用计划任务的 schtasks,但使用 at 要求任务计划程序服务正在运行,并且用户必须以本地管理员组的成员身份登录。 | |
| .003 | Cron | 攻击者可能会滥用该实用程序来执行任务调度,以初始或重复执行恶意代码。该实用程序是用于类Unix操作系统的基于时间的作业调度程序。该文件包含要运行的 cron 条目的计划和指定的执行时间。任何文件都存储在特定于操作系统的文件路径中。cron``cron`` crontab``crontab |
|
| .005 | 计划任务 | 攻击者可能会滥用 Windows 任务计划程序来执行任务计划,以便初始或定期执行恶意代码。有多种方法可以在 Windows 中访问任务计划程序。schtasks 实用程序可以直接在命令行上运行,也可以通过控制面板的“管理员工具”部分中的 GUI 打开任务计划程序。在某些情况下,攻击者对 Windows 任务计划程序使用 .NET 包装器,或者,攻击者使用 Windows netapi32 库创建计划任务。 | |
| .006 | 系统定时器 | 攻击者可能会滥用 systemd 计时器来执行任务调度,以初始或重复执行恶意代码。Systemd 计时器是具有文件扩展名的单元文件,用于控制服务。计时器可以设置为在日历事件上运行,也可以在相对于起点的时间跨度后运行。它们可以在Linux环境中用作Cron的替代品。Systemd 定时器可以通过命令行实用程序远程激活,该实用程序通过 SSH 运行。.timer``systemctl |
|
| .007 | 容器编排作业 | 攻击者可能会滥用容器编排工具(如 Kubernetes)提供的任务调度功能来调度配置为执行恶意代码的容器的部署。容器业务流程作业在特定日期和时间运行这些自动化任务,类似于 Linux 系统上的 cron 作业。还可以将这种类型的部署配置为随着时间的推移维护一定数量的容器,从而自动执行在集群中维护持久性的过程。 | |
| T1648 | 无服务器执行 | 攻击者可能会滥用无服务器计算、集成和自动化服务在云环境中执行任意代码。许多云提供商提供各种无服务器资源,包括计算引擎、应用程序集成服务和 Web 服务器。 | |
| T1129 | 共享模块 | 攻击者可以通过加载共享模块来执行恶意负载。可以指示 Windows 模块加载程序从任意本地路径和任意通用命名约定 (UNC) 网络路径加载 DLL。此功能驻留在 NTDLL 中.dll并且是 Windows Native API 的一部分,该 API 从 、 等函数调用。的 Win32 API。CreateProcess``LoadLibrary |
|
| T1072 | 软件部署工具 | 攻击者可以访问和使用安装在企业网络中的第三方软件套件(如管理、监视和部署系统),以便在网络中横向移动。第三方应用程序和软件部署系统可能在网络环境中用于管理目的(例如,SCCM,HBSS,Altiris等)。 | |
| T1569 | 系统服务 | 攻击者可能会滥用系统服务或守护程序来执行命令或程序。攻击者可以通过在本地或远程与服务交互或创建服务来执行恶意内容。许多服务设置为在启动时运行,这有助于实现持久性(创建或修改系统进程),但攻击者也可以滥用服务进行一次性或临时执行。 | |
| .001 | Launchctl | 攻击者可能会滥用 launchctl 来执行命令或程序。Launchctl与macOS的服务管理框架launchd接口。Launchctl 支持在命令行上以交互方式获取子命令,甚至从标准输入重定向。 | |
| .002 | 服务执行 | 攻击者可能会滥用 Windows 服务控制管理器来执行恶意命令或有效负载。Windows 服务控制管理器 () 是用于管理和操作服务的接口。用户可以通过GUI组件以及系统实用程序(如和Net)访问服务控制管理器。services.exe``sc.exe |
|
| T1204 | 用户执行 | 攻击者可能依靠用户的特定操作来获得执行。用户可能会受到社会工程的影响,以使他们执行恶意代码,例如,打开恶意文档文件或链接。这些用户操作通常会被视为网络钓鱼形式的后续行为。 | |
| .001 | 恶意链接 | 攻击者可能依靠用户单击恶意链接来获得执行。用户可能会受到社会工程的影响,以使他们点击将导致代码执行的链接。此用户操作通常会被视为鱼叉式网络钓鱼链接的后续行为。单击链接还可能导致其他执行技术,例如通过利用客户端执行来利用浏览器或应用程序漏洞。链接还可能导致用户下载需要通过恶意文件执行的文件。 | |
| .002 | 恶意文件 | 攻击者可能依赖于用户打开恶意文件来获得执行。用户可能会受到社会工程的影响,以使他们打开将导致代码执行的文件。此用户操作通常会被视为鱼叉式网络钓鱼附件的后续行为。攻击者可能会使用需要用户执行的多种类型的文件,包括.doc、.pdf、.xls、.rtf、.scr、.exe、.lnk、.pif 和.cpl。 | |
| .003 | 恶意图像 | 攻击者可能依靠运行恶意映像的用户来促进执行。Amazon Web Services (AWS) Amazon Machine Images (AMI)、Google Cloud Platform (GCP) Images 和 Azure Images 以及流行的容器运行时(如 Docker)都可以后门。后门图像可能通过上传恶意软件上传到公共存储库,然后用户可能会从映像下载和部署实例或容器,而不会意识到映像是恶意的,从而绕过专门实现初始访问的技术。这可能会导致在实例或容器中执行恶意代码,例如执行加密货币挖掘的代码。 | |
| T1047 | Windows Management Instrumentation | 攻击者可能会滥用 Windows 管理规范 (WMI) 来执行恶意命令和有效负载。WMI 是一项管理功能,它提供统一的环境来访问 Windows 系统组件。WMI 服务支持本地和远程访问,尽管后者由分布式组件对象模型 (DCOM) 和 Windows 远程管理 (WinRM) 等远程服务提供便利。DCOM 上的远程 WMI 使用端口 135 运行,而使用 HTTP 时,基于 WinRM 的 WMI 通过端口 5985 运行,使用 HTTPS 时,5986 使用 HTTPS。 |
The adversary is trying to run malicious code.
Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.
Techniques: 14
| ID | Name | Description | |
|---|---|---|---|
| T1651 | Cloud Administration Command | Adversaries may abuse cloud management services to execute commands within virtual machines or hybrid-joined devices. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. Similarly, in Azure AD environments, Microsoft Endpoint Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to the Azure AD. | |
| T1059 | Command and Scripting Interpreter | Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell. | |
| .001 | PowerShell | Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems). |
|
| .002 | AppleScript | Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely. | |
| .003 | Windows Command Shell | Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH. | |
| .004 | Unix Shell | Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges. | |
| .005 | Visual Basic | Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core. | |
| .006 | Python | Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables. |
|
| .007 | JavaScript | Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser. | |
| .008 | Network Device CLI | Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. | |
| .009 | Cloud API | Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, PowerShell modules like Azure for PowerShell, or software developer kits (SDKs) available for languages such as Python. | |
| T1609 | Container Administration Command | Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment. | |
| T1610 | Deploy Container | Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. | |
| T1203 | Exploitation for Client Execution | Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility. | |
| T1559 | Inter-Process Communication | Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern. | |
| .001 | Component Object Model | Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE). Remote COM execution is facilitated by Remote Services such as Distributed Component Object Model (DCOM). | |
| .002 | Dynamic Data Exchange | Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution. | |
| .003 | XPC Services | Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for basic inter-process communication between various processes, such as between the XPC Service daemon and third-party application privileged helper tools. Applications can send messages to the XPC Service daemon, which runs as root, using the low-level XPC Service C API or the high level NSXPCConnection API in order to handle tasks that require elevated privileges (such as network connections). Applications are responsible for providing the protocol definition which serves as a blueprint of the XPC services. Developers typically use XPC Services to provide applications stability and privilege separation between the application client and the daemon. |
|
| T1106 | Native API | Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. | |
| T1053 | Scheduled Task/Job | Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system. | |
| .002 | At | Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of Scheduled Task's schtasks in Windows environments, using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. | |
| .003 | Cron | Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code. The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths. |
|
| .005 | Scheduled Task | Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task. | |
| .006 | Systemd Timers | Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to Cron in Linux environments. Systemd timers may be activated remotely via the systemctl command line utility, which operates over SSH. |
|
| .007 | Container Orchestration Job | Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster. | |
| T1648 | Serverless Execution | Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud environments. Many cloud providers offer a variety of serverless resources, including compute engines, application integration services, and web servers. | |
| T1129 | Shared Modules | Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like CreateProcess, LoadLibrary, etc. of the Win32 API. |
|
| T1072 | Software Deployment Tools | Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.). | |
| T1569 | System Services | Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence (Create or Modify System Process), but adversaries can also abuse services for one-time or temporary execution. | |
| .001 | Launchctl | Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input. | |
| .002 | Service Execution | Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services. The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and Net. |
|
| T1204 | User Execution | An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing. | |
| .001 | Malicious Link | An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Link. Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via Exploitation for Client Execution. Links may also lead users to download files that require execution via Malicious File. | |
| .002 | Malicious File | An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl. | |
| .003 | Malicious Image | Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via Upload Malware, and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container. | |
| T1047 | Windows Management Instrumentation | Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM). Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS. |