TA0002: Execution
The adversary is trying to run malicious code.
Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.
Analyst context for executives and security teams
Execution is the point where suspicious activity becomes running adversary-controlled code. For leaders, this tactic matters because many incidents cannot progress without some form of code, script, tool, or remote command actually running on a local or remote system. Even when the initial entry point is different, business impact often depends on whether teams can prevent, observe, contain, and explain execution quickly.
Executive priority
Treat Execution as a core control and evidence area for resilience and incident readiness. Security leaders should ask whether the organization can prove what ran, where it ran, who or what initiated it, and what happened next. This is important for SOC triage, incident scoping, audit evidence, and prioritizing controls that reduce unapproved code execution rather than only detecting later-stage outcomes.
Technical view
Because ATT&CK provides no platform-specific detection guidance for this tactic object, defenders should validate execution visibility across the environments they operate rather than assume coverage. SOC and IR teams should be able to correlate process or script execution, remote command activity, user or service context, and follow-on behavior such as discovery or data access. The official ATT&CK description notes that Execution techniques are often paired with other tactics, so detections should not be evaluated in isolation; analysts should look for execution events that precede broader activity.
Likely telemetry
- Process and command execution records where available
- Script or interpreter activity, including PowerShell where relevant to the environment
- Remote administration or remote access tool activity that results in code execution
- User, service account, and session context tied to execution events
- Endpoint security or EDR observations of executed code or tools
Detection direction
- Validate that telemetry can answer: what ran, on which system, under which identity, and from what parent or remote source.
- Tune analytics around unusual or unauthorized execution patterns rather than relying only on known-malicious indicators.
- Correlate execution with neighboring tactics, since malicious code execution may enable discovery, credential access, movement, or data theft.
- Account for false positives from legitimate administration, automation, software deployment, and troubleshooting activity.
- Identify blind spots where local or remote execution can occur without centralized logging or durable retention.
Mitigation priorities
- Prioritize control of who and what is allowed to execute code in sensitive environments.
- Harden administrative and remote execution paths so routine operations are authenticated, authorized, logged, and reviewable.
- Limit unnecessary scripting, tooling, and automation privileges based on role and operational need.
- Ensure endpoint and workload monitoring is deployed where execution risk is material to business operations.
- Test incident response playbooks for rapid containment and scoping when unauthorized execution is suspected.
Analyst notes and limits
This is a tactic-level object, not a specific technique. It provides strategic framing for adversary-controlled code execution but does not identify platforms, procedures, software, groups, mitigations, or detections. Use it to organize coverage reviews and then map to relevant Execution techniques for concrete engineering work.
No official detection text, platforms, tactics list, aliases, labels, or relationship context were supplied. Local environment architecture and logging capabilities are required to determine actual coverage, gaps, and priority systems.
Execution
The adversary is trying to run malicious code.
Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f467fa042b63… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack TA0002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.