⚙️ MITRE ATT&CK: Tactic TA0002 – Execution Tactic Explained
- bharat kumar
- Oct 20
- 3 min read
Updated: Oct 21
In the MITRE ATT&CK framework, Execution (TA0002) represents one of the core tactics adversaries use after gaining initial access — it’s the phase where they run malicious code on the target system.
Simply put:
🎯 Execution = How attackers make their code run on your machine.
Once executed, attackers can install backdoors, steal data, move laterally, or maintain persistence. This makes Execution one of the most critical stages in any attack chain.
🧠 Objective of the Execution Tactic
The goal of Execution is to run malicious commands, scripts, or payloads on a compromised system to take control or perform harmful actions.This can be done interactively, through scripts, or by exploiting legitimate tools (like PowerShell or WMI).
🧩 Common MITRE Techniques under TA0002
Here are the main techniques (with examples) that fall under the Execution tactic 👇
Technique ID | Technique Name | Description |
T1059 | Command and Scripting Interpreter | Attackers use tools like PowerShell, Bash, Python, or JavaScript to execute malicious scripts or commands. |
T1047 | Windows Management Instrumentation (WMI) | Execution through WMI commands to perform administrative tasks remotely or locally. |
T1569 | System Services | Running malicious code as a service (like creating or modifying Windows services). |
T1203 | Exploitation for Client Execution | Using vulnerabilities in software (like browsers or Office apps) to execute payloads. |
T1072 | Software Deployment Tools | Leveraging legitimate software deployment frameworks (like SCCM) to push malicious updates. |
T1106 | Native API | Directly calling system APIs to execute code and evade detection. |
T1053 | Scheduled Task / Job | Using cron jobs or Windows Task Scheduler to execute code periodically. |
T1129 | Shared Modules | Executing code by loading malicious DLLs or shared libraries. |
T1559 | Inter-Process Communication | Injecting commands or payloads into another process via RPC, named pipes, etc. |
T1204 | User Execution | Tricking users to open malicious files, click phishing links, or enable macros. |
T1125 | Video Capture | While not primary execution, sometimes leveraged to activate payloads when certain user actions occur. |
⚠️ Real-World Example
A phishing email drops a malicious Excel file.When the user opens it and enables macros, VBA script runs → downloads a PowerShell payload → PowerShell executes commands to install a backdoor.
✅ MITRE Path:T1566 (Phishing) → T1204 (User Execution) → T1059 (PowerShell)
🛡️ Detection & Defense Recommendations
Here’s how you can detect and prevent execution-based attacks:
🔍 Detection
Monitor command-line activity (especially PowerShell, WScript, or CMD).
Enable script block logging and module logging in Windows.
Check for unusual parent-child process relationships (e.g., Word spawning PowerShell).
Use EDR solutions to detect anomalous script or process behaviors.
🧰 Prevention
Disable or restrict PowerShell if not required, or use Constrained Language Mode.
Block macro execution in Office documents by default.
Apply application whitelisting to allow only trusted executables.
Use User Account Control (UAC) to prevent privilege escalation.
Patch and update all software regularly to avoid exploit-based execution (T1203).
Implement network segmentation to contain attacks.
🚀 Pro Tip
Attackers love “living off the land.”That means they often use legitimate system tools like PowerShell, WMI, or rundll32.exe — not external malware.👉 Your detection strategy must focus on behavior, not just file signatures.
💡 Summary
Category | Details |
MITRE ID | TA0002 |
Tactic Name | Execution |
Goal | Run malicious code on the target system |
Key Techniques | Command execution, scripting, user execution, service abuse |
Best Defenses | Behavior-based detection, script monitoring, app whitelisting, macro restrictions |
🔒 Final Thoughts
The Execution phase is where attacks come alive — it’s where intent becomes impact.By monitoring command behavior, restricting scripting tools, and training users, you can stop many attacks before they spread deeper into your environment.
🧠 Stay tuned for Day 3 – Persistence (TA0003)We’ll explore how attackers stay inside your systems even after reboots!