Live Active security incident? Get immediate response
MITRE ATT&CK® Mitigation

M0938: Execution Prevention

Block execution of code on a system through application control, and/or script blocking.

ICSM0938MitigationObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Execution Prevention is an ICS mitigation focused on stopping unauthorized code from running through application control and script blocking. Its business value is reducing the chance that an operator workstation, engineering system, or control-related host becomes a launch point for command-line activity, scripts, disguised executables, API misuse, or trusted-binary proxy execution.

Executive priority

Prioritize this as a resilience and assurance control where uncontrolled code execution could affect operational continuity or safety-adjacent processes. Leaders should ask whether critical ICS environments have enforceable allowlists, script restrictions, change governance, and audit evidence aligned to the referenced IEC 62443 and NIST SI-3 control mappings, rather than relying only on detection after execution occurs.

Technical view

SOC, IR, and detection teams should validate whether application control and script blocking policies exist, are enforced, and generate reviewable events. Relationship context shows this mitigation is relevant to Command-Line Interface, Native API, Masquerading, Scripting, User Execution, Execution through API, and System Binary Proxy Execution behaviors. Because ATT&CK provides no official detection text and no platforms for this mitigation, local asset roles, approved software baselines, and control-system workflows must define what should be allowed versus blocked.

Likely telemetry

  • Application control allow, deny, and policy-enforcement logs
  • Script blocking or interpreter execution logs
  • Process execution and command-line activity records
  • File creation, rename, path, and signature or trust metadata for executables and scripts
  • User-initiated execution evidence such as installers, attachments, or documents that launch code

Detection direction

  • Confirm that blocked execution events are centrally collected and reviewed, not only enforced locally.
  • Tune alerts for attempts to run unapproved scripts, unexpected command-line tools, masqueraded executables, or trusted binaries used to launch other content.
  • Compare execution events against approved engineering and operations software baselines to reduce false positives from legitimate maintenance activity.
  • Review exceptions and bypass paths, since overly broad allowlists can weaken protection against scripting, user execution, and proxy execution behaviors.
  • Use relationship-driven hunting around CLI, scripting, masquerading, API-based execution, and system-binary proxy patterns, while avoiding assumptions about platform coverage not validated in the environment.

Mitigation priorities

  • Establish an approved software and script baseline for critical ICS assets before enforcing blocks.
  • Deploy application control and script blocking in a staged mode where feasible, then move to enforcement for stable systems.
  • Govern exceptions through change control with business owner approval and expiration where appropriate.
  • Protect policy configuration from unauthorized modification and retain logs for incident response and compliance evidence.
  • Regularly test whether approved tools, vendor utilities, and maintenance workflows still function while unapproved code is blocked.
Analyst notes and limits

This object is a mitigation, not an adversary behavior. The strongest decision value is in validating enforceable prevention and evidence quality across the ICS environment. The mapped standards labels support compliance-readiness discussions, but local control implementation determines whether they provide meaningful risk reduction.

ATT&CK does not provide official detection guidance, platforms, tactics, or aliases for this object. Telemetry and control recommendations are therefore framed as validation areas derived from the mitigation description and related techniques, not as guaranteed coverage.

Official MITRE ATT&CK definition

Execution Prevention

Block execution of code on a system through application control, and/or script blocking.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

7 rows
Domain ID Name Relationship / procedure
ICS T0863 User Execution

Application control may be able to prevent the running of executables masquerading as other files.
ICS T0853 Scripting

Execution prevention may prevent malicious scripts from accessing protected resources.
ICS T0894 System Binary Proxy Execution

Disallow the execution of applications/programs which are not required for normal system functions, including any specific command-line arguments which may allow the execution of proxy commands or application binaries.
ICS T0871 Execution through API

Minimize the exposure of API calls that allow the execution of code.
ICS T0834 Native API

Minimize the exposure of API calls that allow the execution of code.
ICS T0807 Command-Line Interface

Execution prevention may block malicious software from accessing protected resources through the command line interface.
ICS T0849 Masquerading

Use tools that restrict program execution via application control by attributes other than file name for common system and application utilities.
Relationship explorer

All related ATT&CK context

mitigates · Technique T0863: User Execution ICS mitigates · Technique T0853: Scripting ICS mitigates · Technique T0894: System Binary Proxy Execution ICS mitigates · Technique T0871: Execution through API ICS mitigates · Technique T0834: Native API ICS mitigates · Technique T0807: Command-Line Interface ICS mitigates · Technique T0849: Masquerading ICS
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
01d298abd9be6b2e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 01d298abd9be…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack M0938
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use