Execution (MITRE Tactic)
What is Execution (MITRE Tactic)?
Execution (MITRE Tactic)The MITRE ATT&CK tactic (TA0002) covering techniques that run adversary-controlled code on a local or remote system.
Execution (MITRE ATT&CK tactic TA0002) describes the moment when adversary-controlled code actually runs on a victim system. It includes scripting interpreters such as PowerShell, JavaScript, Python, and shell; user execution of malicious attachments or shortcuts; native binaries like rundll32 and msbuild abused for living-off-the-land; scheduled task and service creation; and inter-process communication mechanisms. Many attackers chain Execution to gain a stable foothold after Initial Access, often combining it with Defense Evasion to avoid AV and EDR. Defenders look at process-creation telemetry (Sysmon Event ID 1, EDR), command-line auditing, application allowlisting, AMSI inspection, and constrained language modes to detect or prevent execution.
● Examples
- 01
A macro launching PowerShell to download and run a Cobalt Strike beacon.
- 02
Abusing rundll32.exe to load a malicious DLL from a writeable user directory.
● Frequently asked questions
What is Execution (MITRE Tactic)?
The MITRE ATT&CK tactic (TA0002) covering techniques that run adversary-controlled code on a local or remote system. It belongs to the Defense & Operations category of cybersecurity.
What does Execution (MITRE Tactic) mean?
The MITRE ATT&CK tactic (TA0002) covering techniques that run adversary-controlled code on a local or remote system.
How does Execution (MITRE Tactic) work?
Execution (MITRE ATT&CK tactic TA0002) describes the moment when adversary-controlled code actually runs on a victim system. It includes scripting interpreters such as PowerShell, JavaScript, Python, and shell; user execution of malicious attachments or shortcuts; native binaries like rundll32 and msbuild abused for living-off-the-land; scheduled task and service creation; and inter-process communication mechanisms. Many attackers chain Execution to gain a stable foothold after Initial Access, often combining it with Defense Evasion to avoid AV and EDR. Defenders look at process-creation telemetry (Sysmon Event ID 1, EDR), command-line auditing, application allowlisting, AMSI inspection, and constrained language modes to detect or prevent execution.
How do you defend against Execution (MITRE Tactic)?
Defences for Execution (MITRE Tactic) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Execution (MITRE Tactic)?
Common alternative names include: Execution tactic, TA0002.
● Related terms
- compliance№ 687
MITRE ATT&CK
A globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks, maintained by MITRE.
- defense-ops№ 535
Initial Access
The MITRE ATT&CK tactic (TA0001) that covers techniques attackers use to first establish a foothold inside a target environment.
- defense-ops№ 817
Persistence
The MITRE ATT&CK tactic (TA0003) covering techniques that let an attacker maintain access to a system across reboots, credential changes, and incident response.
- defense-ops№ 298
Defense Evasion
The MITRE ATT&CK tactic (TA0005) covering techniques attackers use to avoid detection, disable security tools, and hide their activity on a target system.
- defense-ops№ 265
Cyber Kill Chain
Lockheed Martin's seven-stage model that describes how a targeted intrusion progresses from reconnaissance to actions on objectives.
- defense-ops№ 371
EDR (Endpoint Detection and Response)
An endpoint security technology that continuously records process, file, registry and network activity to detect, investigate and respond to threats on hosts.