The execution tactic represents techniques that result in execution of adversary-controlled code on a local or remote system. This tactic is often used in conjunction with lateral movement to expand access to remote systems on a network.
Below is a list of all the Execution techniques in enterprise:
|macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC). These messages can be easily scripted with AppleScript for local or remote IPC. Osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the |
AppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.Adversaries can use this to interact with open SSH connection, move to remote machines, and even present users with fake dialog boxes. These events cannot start applications remotely (they can start them locally though), but can interact with applications if they're already running remotely. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via python 1. Scripts can be run from the command lie via
|Command-Line Interface||Execution||Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms.2 One example command-line interface on Windows systems is cmd, which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task). Adversaries may use command-line interfaces to interact with systems and execute other software during the course of an operation.|
|Dynamic Data Exchange||Execution||Windows Dynamic Data Exchange (DDE) is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.
Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by COM, DDE is still enabled in Windows 10 and most of Microsoft Office 2016 (a December 2017 patch created a Registry key that disables DDE in Word by default).3Adversaries may use DDE to execute arbitrary commands. Microsoft Office documents can be poisoned with DDE commands45 and used to deliver execution via spear phishing campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros.6 DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to command line execution.
|Execution through API||Execution||Adversary tools may directly use the Windows application programming interface (API) to execute binaries. Functions such as the Windows API CreateProcess will allow programs and scripts to start other processes with proper path and argument parameters.7
Additional Windows API calls that can be used to execute binaries include:8
|Execution through Module Load||Execution||The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like CreateProcess(), LoadLibrary(), etc. of the Win32 API.9
The module loader can load DLLs:
|Graphical User Interface||Execution||Cause a binary or script to execute based on interacting with the file through a graphical user interface (GUI) or in an interactive remote session such as Remote Desktop Protocol.|
|InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries.10 InstallUtil is located in the .NET directories on a Windows system: |
|The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.12 Adversaries may target lsass.exe drivers to obtain execution and/or persistence. By either replacing or adding illegitimate drivers (e.g., DLL Side-Loading or DLL Search Order Hijacking), an adversary can achieve arbitrary code execution triggered by continuous LSA operations.|
|Launchctl controls the macOS launchd process which handles things like launch agents and launch daemons, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input. By loading or reloading launch agents or launch daemons, adversaries can install persistence or execute changes they made 13. Running a command from launchctl is as simple as |
|Local Job Scheduling||Persistence|
|On Linux and Apple systems, multiple methods are supported for creating pre-scheduled and periodic background jobs: cron,14 at,15 and launchd.16 Unlike Scheduled Task on Windows systems, job scheduling on Linux-based systems cannot be done remotely unless used in conjunction within an established remote session, like secure shell (SSH).
System-wide cron jobs are installed by modifying
Those methods allow for commands or scripts to be executed at specific, periodic intervals in the background without user interaction. An adversary may use job scheduling to execute programs at system startup or on a scheduled basis for Persistence,17181920 to conduct Execution as part of Lateral Movement, to gain root privileges, or to run a process under the context of a specific account.
The at program is another means on Linux-based systems, including Mac, to schedule a program or script job for execution at a later date and/or time, which could also be used for the same purposes.
launchdEach launchd job is described by a different configuration property list (plist) file similar to Launch Daemon or Launch Agent, except there is an additional key called
|Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). HTA files have the file extension |
Files may be executed by mshta.exe through an inline script:
They may also be executed directly from URLs:
|PowerShell||Execution||PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.29 Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer.
PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.
Administrator permissions are required to use PowerShell to connect to remote systems.A number of PowerShell-based offensive testing tools are available, including Empire,30 PowerSploit,31 and PSAttack.32
|Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft.3334
Adversaries can use Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Both utilities may be used to bypass process whitelisting through use of attributes within the binary to specify code that should be run before registration or unregistration: |
|Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can be used to execute arbitrary binaries.35
Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of whitelists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe is also a Microsoft signed binary.Regsvr32.exe can also be used to specifically bypass process whitelisting using functionality to load COM scriptlets to execute DLLs under user permissions. Since regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed.36 This variation of the technique has been used in campaigns targeting governments.37
|The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations.
Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions |
|Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system.39 An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.|
|Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts. Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit40, Veil41, and PowerSploit31 are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell.42|
|Service Execution||Execution||Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation.|
|Space after Filename||Defense Evasion|
|Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. For example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to "evil.txt " (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed43. Adversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.|
|Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, VNC, HBSS, Altiris, etc.). If an adversary gains access to these systems, then they may be able to execute code.
Adversaries may gain access to and use third-party application deployment systems installed within an enterprise network. Access to a network-wide or enterprise-wide software deployment system enables an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the deployment server, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform software deployment.
|Trusted Developer Utilities||Defense Evasion|
|There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application whitelisting defensive solutions.
MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It takes XML formatted project files that define requirements for building various platforms and configurations.44
Adversaries can use MSBuild to proxy execution of code through a trusted Windows utility. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into the XML project file.45 MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application whitelisting defenses that are configured to allow MSBuild.exe execution.11
The .NET Execution Environment (DNX), dnx.exe, is a software development kit packaged with Visual Studio Enterprise. It was retired in favor of .NET Core CLI in 2016.46 DNX is not present on standard builds of Windows and may only be present on developer workstations using older versions of .NET Core and ASP.NET Core 1.0. The dnx.exe executable is signed by Microsoft.
An adversary can use dnx.exe to proxy execution of arbitrary code to bypass application whitelist policies that do not account for DNX.47
The rcsi.exe utility is a non-interactive command-line interface for C# that is similar to csi.exe. It was provided within an early version of the Roslyn .NET Compiler Platform but has since been deprecated for an integrated solution.48 The rcsi.exe binary is signed by Microsoft.49
C# .csx script files can be written and executed with rcsi.exe at the command-line. An adversary can use rcsi.exe to proxy execution of arbitrary code to bypass application whitelisting policies that do not account for execution of rcsi.exe.49
WinDbg is a Microsoft Windows kernel and user-mode debugging utility. The Microsoft Console Debugger (CDB) cdb.exe is also user-mode debugger. Both utilities are included in Windows software development kits and can be used as standalone tools.50 They are commonly used in software development and reverse engineering and may not be found on typical Windows systems. Both WinDbg.exe and cdb.exe binaries are signed by Microsoft.
An adversary can use WinDbg.exe and cdb.exe to proxy execution of arbitrary code to bypass application whitelist policies that do not account for execution of those utilities.51
It is likely possible to use other debuggers for similar purposes, such as the kernel-mode debugger kd.exe, which is also signed by Microsoft.
The file tracker utility, tracker.exe, is included with the .NET framework as part of MSBuild. It is used for logging calls to the Windows file system.52An adversary can use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions.53
|Windows Management Instrumentation||Execution||Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB)54 and Remote Procedure Call Service (RPCS)55 for remote access. RPCS operates over port 135.56 An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement.57|
|Windows Remote Management||Execution|
|Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).58 It may be called with the |
- Yerko Grbic. (2017, February 14). Macro Malware Targets Macs. Retrieved July 8, 2017.
- Wikipedia. (2016, June 26). Command-line interface. Retrieved June 27, 2016.
- Cimpanu, C. (2017, December 15). Microsoft Disables DDE Feature in Word to Prevent Further Malware Attacks. Retrieved December 19, 2017.
- El-Sherei, S. (2016, May 20). PowerShell, C-Sharp and DDE The Power Within. Retrieved November 22, 2017.
- Kettle, J. (2014, August 29). Comma Separated Vulnerabilities. Retrieved November 22, 2017.
- Stalmans, E., El-Sherei, S. (2017, October 9). Macro-less Code Exec in MSWord. Retrieved November 21, 2017.
- Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014.
- Kanthak, S. (2017). Application Verifier Provider. Retrieved February 13, 2017.
- Wikipedia. (2017, January 31). Microsoft Windows library files. Retrieved February 13, 2017.
- Microsoft. (n.d.). Installutil.exe (Installer Tool). Retrieved July 1, 2016.
- [ Smith, C. (2016, August 17). Includes 5 Known Application Whitelisting/ Application Control Bypass Techniques in One File. Retrieved June 30, 2017.]
- Microsoft. (n.d.). Security Subsystem Architecture. Retrieved November 27, 2017.
- Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
- Paul Vixie. (n.d.). crontab(5) - Linux man page. Retrieved December 19, 2017.
- Thomas Koenig. (n.d.). at(1) - Linux man page. Retrieved December 19, 2017.
- Apple. (n.d.). Retrieved July 17, 2017.
- Thomas. (2013, July 15). New signed malware called Janicab. Retrieved July 17, 2017.
- Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.
- Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017.
- Threat Intelligence Team. (2015, January 6). Linux DDoS Trojan hiding itself with an embedded rootkit. Retrieved January 8, 2018.
- Wikipedia. (2017, October 14). HTML Application. Retrieved October 27, 2017.
- Microsoft. (n.d.). HTML Applications. Retrieved October 27, 2017.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
- McCammon, K. (2015, August 14). Microsoft HTML Application (HTA) Abuse, Part Deux. Retrieved October 27, 2017.
- Berry, A., Galang, L., Jiang, G., Leathery, J., Mohandas, R. (2017, April 11). CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler. Retrieved October 27, 2017.
- Dove, A. (2016, March 23). Fileless Malware – A Behavioural Analysis Of Kovter Persistence. Retrieved December 5, 2017.
- Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
- [ Smith, C. (2017, July 14). TheList.txt. Retrieved October 27, 2017.]
- Microsoft. (n.d.). Windows PowerShell Scripting. Retrieved April 28, 2016.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- PowerSploit. (n.d.). Retrieved December 4, 2014.
- Haight, J. (2016, April 21). PS>Attack. Retrieved June 1, 2016.
- Microsoft. (n.d.). Regsvcs.exe (.NET Services Installation Tool). Retrieved July 1, 2016.
- Microsoft. (n.d.). Regasm.exe (Assembly Registration Tool). Retrieved July 1, 2016.
- Microsoft. (2015, August 14). How to use the Regsvr32 tool and troubleshoot Regsvr32 error messages. Retrieved June 22, 2016.
- [ Smith, C. (2016, April 19). Bypass Application Whitelisting Script Protections - Regsvr32.exe & COM Scriptlets (.sct files). Retrieved June 30, 2017.]
- Anubhav, A., Kizhakkinan, D. (2017, February 22). Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government. Retrieved February 24, 2017.
- Merces, F. (2014). CPL Malware Malicious Control Panel Items. Retrieved November 1, 2017.
- Microsoft. (2005, January 21). Task Scheduler and security. Retrieved June 8, 2016.
- Metasploit. (n.d.). Retrieved December 4, 2014.
- Veil Framework. (n.d.). Retrieved December 4, 2014.
- Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.
- Dan Goodin. (2016, July 6). After hiatus, in-the-wild Mac backdoors are suddenly back. Retrieved July 8, 2017.
- Microsoft. (n.d.). MSBuild1. Retrieved November 30, 2016.
- Microsoft. (n.d.). MSBuild Inline Tasks. Retrieved December 21, 2016.
- Knezevic, Z., Wenzel, M. Latham, L. (2016, June 20). Migrating from DNX to .NET Core CLI (project.json). Retrieved June 28, 2017.
- Nelson, M. (2017, November 17). Bypassing Application Whitelisting By Using dnx.exe. Retrieved May 25, 2017.
- Osenkov, K. (2011, October 19). Introducing the Microsoft “Roslyn” CTP. Retrieved June 28, 2017.
- Nelson, M. (2016, November 21). Bypassing Application Whitelisting By Using rcsi.exe. Retrieved May 26, 2017.
- Marshall, D. (2017, May 23). Debugging Tools for Windows (WinDbg, KD, CDB, NTSD). Retrieved June 29, 2017.
- Graeber, M. (2016, August 15). Bypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner. Retrieved May 26, 2017.
- B, M., Brown, K., Cai, S., Hogenson, G., Warren, G. (2016, November 4). File Tracking. Retrieved November 1, 2017.
- Smith, C. (2016, October 31). SubTee Twitter Status. Retrieved November 1, 2017.
- Wikipedia. (2016, June 12). Server Message Block. Retrieved June 12, 2016.
- Microsoft. (2003, March 28). What Is RPC?. Retrieved June 12, 2016.
- Microsoft. (n.d.). Windows Management Instrumentation. Retrieved April 27, 2016.
- Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.
- Microsoft. (n.d.). Windows Remote Management. Retrieved November 12, 2014.
- Jacobsen, K. (2014, May 16). Lateral Movement with PowerShell[slides]. Retrieved November 12, 2014.