User Execution (T0863)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • User Execution

Associated Tactics

  • Execution

Execution (TA0104)

The adversary is trying to run code or manipulate system functions, parameters, and data in an unauthorized way. Execution consists of techniques that result in adversary-controlled code running on a local or remote system, device, or other asset. This execution may also rely on unknowing end users or the manipulation of device operating modes to run. Adversaries may infect remote targets with programmed executables or malicious project files that operate according to specified behavior and may alter expected device behavior in subtle ways. Commands for execution may also be issued from command-line interfaces, APIs, GUIs, or other available interfaces. Techniques that run malicious code may also be paired with techniques from other tactics, particularly to aid network [Discovery](https://attack.mitre.org/tactics/TA0102) and [Collection](https://attack.mitre.org/tactics/TA0100), impact operations, and inhibit response functions.

View on ATT&CK

Procedure Examples

Description Source(s)
Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 Booz Allen Hamilton
Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 Daavid Hentunen, Antti Tikkanen June 2014
Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 CISA AA21-201A Pipeline Intrusion July 2021