ATT&CK for Enterprise – TA0002 Execution
Execution, Tactic TA0002 – Enterprise | MITRE ATT&CK®
“Execution” in the context of cyberattack tactics refers to the process where an attacker successfully runs malicious code on a target system. This step is crucial in the attack lifecycle, as it’s the point at which the attacker’s code actually starts to perform its intended malicious activities. Execution can be achieved in various ways, such as through user-interaction (e.g., getting a user to run a malware-laden email attachment), exploiting vulnerabilities in software, or using legitimate system tools in unauthorized ways. The key goal for attackers in this stage is to ensure their code runs effectively without being detected, thereby allowing them to proceed with their primary objectives, be it data exfiltration, system compromise, or persisting within the network. This blog will explore and categorize specific alerts from Other security alerts documentation.
T1059 Command and Scripting Interpreter
| External ID | Name | Sev. | Description |
| 2019 | Remote code execution attempt | Medium | Nature of the Attack: This attack involves executing commands remotely on critical servers within an organization, specifically the AD DS, AD FS or AD CS servers. These servers are central to the management of user identities and security in a Windows environment. Compromise of Administrative Credentials: Attackers gaining access to administrative accounts can carry out this attack. Administrative accounts have the necessary permissions to execute commands on these critical servers. Exploitation of Zero-Day Vulnerabilities: A zero-day exploit refers to attacking a previously unknown vulnerability in software. This allows attackers to execute code without prior detection. Gaining Persistency: The attacker aims to maintain long-term access to the compromised system. Information Collection: Extracting sensitive information from the organization’s network. Denial of Service (DOS) Attacks ②: Disrupting services by overloading the system or crashing it. Other Malicious Activities: Depending on the attacker’s intent, the access could be used for various other harmful purposes. |
| 2026 | Suspicious service creation | Medium | Nature of the Attack: This attack involves executing commands remotely on critical servers within an organization, specifically the AD DS, AD FS or AD CS servers. These servers are central to the management of user identities and security in a Windows environment. Creation of new service: Services in Windows are programs that operate in the background and are often crucial for system operations or applications. The creation of an unauthorized or unknown service can be a sign of malicious activity, as attackers often install services to maintain persistent access to a system, execute malicious tasks, or monitor user activities. Detection Mechanism: The detection of this suspicious activity is primarily based on monitoring Windows event logs, particularly event ID 7045. This event ID logs the creation of new services. |
① “Zero-Day Vulnerability” refers to a flaw in software, hardware, or firmware that is unknown to the parties responsible for patching or fixing the flaw. It does not refer to any specific vulnerability. Instead, it’s a general term used to describe a type of vulnerability in software, hardware, or firmware. The term “zero-day” derives from the fact that the developers have “zero days” to fix the issue because it has already been exposed to potential attackers.
② A Denial of Service (DoS) Attack is a type of cyberattack where the attacker aims to make a machine or network resource unavailable to its intended users. The main goal is to disrupt normal service operations.
DoS attacks are typically conducted from a single or limited number of sources, whereas DDoS (Distributed Denial of Service Attack) attacks involve multiple, often numerous, sources operating in concert. As a result, DDoS attacks are generally more complex and harder to defend against than DoS attacks.