Trusted Design戦術「Execution」に関連する攻撃手法(Technique)の一覧です。
| Technique ID | Name | Description |
|---|---|---|
| T1028 | Windows Remote Management | Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact wi… |
| T1035 | Service Execution | Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Serv… |
| T1047 | Windows Management Instrumentation | Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is design… |
| T1053 | Scheduled Task/Job | Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Util… |
| T1053.001 | At (Linux) | Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial, … |
| T1053.002 | At | Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial o… |
| T1053.003 | Cron | Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of mal… |
| T1053.004 | Launchd | This technique is deprecated due to the inaccurate usage. The report cited did not provide technical detail as to how th… |
| T1053.005 | Scheduled Task | Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malici… |
| T1053.006 | Systemd Timers | Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Sy… |
| T1053.007 | Container Orchestration Job | Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to sche… |
| T1059 | Command and Scripting Interpreter | Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and la… |
| T1059.001 | PowerShell | Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line i… |
| T1059.002 | AppleScript | Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applicati… |
| T1059.003 | Windows Command Shell | Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org… |
| T1059.004 | Unix Shell | Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux… |
| T1059.005 | Visual Basic | Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interopera… |
| T1059.006 | Python | Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language… |
| T1059.007 | JavaScript | Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scr… |
| T1059.008 | Network Device CLI | Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious comm… |
| T1059.009 | Cloud API | Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various fun… |
| T1059.010 | AutoHotKey & AutoIT | Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts. AutoIT and … |
| T1059.011 | Lua | Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language… |
| T1059.012 | Hypervisor CLI | Adversaries may abuse hypervisor command line interpreters (CLIs) to execute malicious commands. Hypervisor CLIs typical… |
| T1059.013 | Container CLI/API | Adversaries may abuse built-in CLI tools or API calls to execute malicious commands in containerized environments. The … |
| T1061 | Graphical User Interface | **This technique has been deprecated. Please use [Remote Services](https://attack.mitre.org/techniques/T1021) where appr… |
| T1072 | Software Deployment Tools | Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands an… |
| T1086 | PowerShell | PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating … |
| T1106 | Native API | Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs pr… |
| T1129 | Shared Modules | Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are load… |
| T1153 | Source | **This technique has been deprecated and should no longer be used.** The <code>source</code> command loads functions in… |
| T1154 | Trap | The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interr… |
| T1155 | AppleScript | macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC). These messages… |
| T1173 | Dynamic Data Exchange | Windows Dynamic Data Exchange (DDE) is a client-server protocol for one-time and/or continuous inter-process communicati… |
| T1177 | LSASS Driver | The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or doma… |
| T1203 | Exploitation for Client Execution | Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in so… |
| T1204 | User Execution | An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engin… |
| T1204.001 | Malicious Link | An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social… |
| T1204.002 | Malicious File | An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social … |
| T1204.003 | Malicious Image | Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machi… |
| T1204.004 | Malicious Copy and Paste | An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social … |
| T1204.005 | Malicious Library | Adversaries may rely on a user installing a malicious library to facilitate execution. Threat actors may [Upload Malware… |
| T1559 | Inter-Process Communication | Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically… |
| T1559.001 | Component Object Model | Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communica… |
| T1559.002 | Dynamic Data Exchange | Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol f… |
| T1559.003 | XPC Services | Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for… |
| T1569 | System Services | Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious cont… |
| T1569.001 | Launchctl | Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service manageme… |
| T1569.002 | Service Execution | Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service… |
| T1569.003 | Systemctl | Adversaries may abuse systemctl to execute commands or programs. Systemctl is the primary interface for systemd, the Lin… |
| T1609 | Container Administration Command | Adversaries may abuse a container administration service to execute commands within a container. A container administrat… |
| T1610 | Deploy Container | Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversa… |
| T1648 | Serverless Execution | Adversaries may abuse serverless computing, integration, and automation services to execute arbitrary code in cloud envi… |
| T1651 | Cloud Administration Command | Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Syste… |
| T1674 | Input Injection | Adversaries may simulate keystrokes on a victim’s computer by various means to perform any type of action on behalf of t… |
| T1675 | ESXi Administration Command | Adversaries may abuse ESXi administration services to execute commands on guest machines hosted within an ESXi virtual e… |
| T1677 | Poisoned Pipeline Execution | Adversaries may manipulate continuous integration / continuous development (CI/CD) processes by injecting malicious code… |