{"id":1312,"date":"2023-12-05T11:58:41","date_gmt":"2023-12-05T03:58:41","guid":{"rendered":"https:\/\/www.ruianding.com\/blog\/?p=1312"},"modified":"2023-12-06T21:10:37","modified_gmt":"2023-12-06T13:10:37","slug":"attck-for-enterprise-execution","status":"publish","type":"post","link":"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-execution\/","title":{"rendered":"ATT&CK for Enterprise – TA0002 Execution"},"content":{"rendered":"\n

Execution, Tactic TA0002 – Enterprise | MITRE ATT&CK\u00ae<\/a><\/p>\n\n\n\n

“Execution”<\/strong> in the context of cyberattack tactics refers to the process where an attacker successfully runs malicious code on a target system. This step is crucial in the attack lifecycle, as it’s the point at which the attacker’s code actually starts to perform its intended malicious activities. Execution can be achieved in various ways, such as through user-interaction (e.g., getting a user to run a malware-laden email attachment), exploiting vulnerabilities in software, or using legitimate system tools in unauthorized ways. The key goal for attackers in this stage is to ensure their code runs effectively without being detected, thereby allowing them to proceed with their primary objectives, be it data exfiltration, system compromise, or persisting within the network. This blog will explore and categorize specific alerts from Other security alerts<\/a> documentation.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\n\n\n\n

T1059 Command and Scripting Interpreter<\/a><\/h3>\n\n\n\n
External ID<\/strong><\/td>Name<\/strong><\/td>Sev.<\/strong><\/td>Description<\/strong><\/td><\/tr>
2019<\/td>Remote code execution attempt<\/td>Medium<\/td>Nature of the Attack<\/strong>: This attack involves executing commands remotely on critical servers within an organization, specifically the AD DS, AD FS or AD CS servers. These servers are central to the management of user identities and security in a Windows environment.
Compromise of Administrative Credentials<\/strong>: Attackers gaining access to administrative accounts can carry out this attack. Administrative accounts have the necessary permissions to execute commands on these critical servers.
Exploitation of Zero-Day Vulnerabilities<\/strong>: A zero-day exploit refers to attacking a previously unknown vulnerability in software. This allows attackers to execute code without prior detection.
Gaining Persistency<\/strong>: The attacker aims to maintain long-term access to the compromised system.
Information Collection<\/strong>: Extracting sensitive information from the organization\u2019s network.
Denial of Service (DOS) Attacks<\/strong> \u2461: Disrupting services by overloading the system or crashing it.
Other Malicious Activities<\/strong>: Depending on the attacker\u2019s intent, the access could be used for various other harmful purposes.<\/td><\/tr>
2026<\/td>Suspicious service creation<\/td>Medium<\/td>Nature of the Attack<\/strong>: This attack involves executing commands remotely on critical servers within an organization, specifically the AD DS, AD FS or AD CS servers. These servers are central to the management of user identities and security in a Windows environment.
Creation of new service:<\/strong> Services in Windows are programs that operate in the background and are often crucial for system operations or applications. The creation of an unauthorized or unknown service can be a sign of malicious activity, as attackers often install services to maintain persistent access to a system, execute malicious tasks, or monitor user activities.
Detection Mechanism<\/strong>: The detection of this suspicious activity is primarily based on monitoring Windows event logs, particularly event ID 7045<\/strong>. This event ID logs the creation of new services.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

\u2460 “Zero-Day Vulnerability”<\/strong> refers to a flaw in software, hardware, or firmware that is unknown to the parties responsible for patching or fixing the flaw. It does not refer to any specific vulnerability. Instead, it’s a general term used to describe a type of vulnerability in software, hardware, or firmware. The term “zero-day” derives from the fact that the developers have “zero days” to fix the issue because it has already been exposed to potential attackers.<\/p>\n\n\n\n

\u2461 A Denial of Service (DoS) Attack<\/strong> is a type of cyberattack where the attacker aims to make a machine or network resource unavailable to its intended users. The main goal is to disrupt normal service operations.
DoS attacks are typically conducted from a single or limited number of sources<\/strong>, whereas DDoS (Distributed Denial of Service Attack)<\/strong> attacks involve multiple, often numerous, sources operating in concert. As a result, DDoS attacks are generally more complex and harder to defend against than DoS attacks.<\/p>\n","protected":false},"excerpt":{"rendered":"

Execution, Tactic TA0002 – Enterprise | MITRE ATT&CK\u00ae “Execution” in the context of cyberattack tactics refers to the process where an attacker successfully runs malicious code on a target system. This step is crucial in the attack lifecycle, as it’s the point at which the attacker’s code actually starts to perform its intended malicious activities. […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_themeisle_gutenberg_block_has_review":false,"footnotes":""},"categories":[50],"tags":[],"class_list":["post-1312","post","type-post","status-publish","format-standard","hentry","category-cybersecurity"],"yoast_head":"\nATT&CK for Enterprise - TA0002 Execution - \u6781\u7b80IT\uff5cSimpleIT<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-execution\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"ATT&CK for Enterprise - TA0002 Execution - \u6781\u7b80IT\uff5cSimpleIT\" \/>\n<meta property=\"og:description\" content=\"Execution, Tactic TA0002 – Enterprise | MITRE ATT&CK\u00ae “Execution” in the context of cyberattack tactics refers to the process where an attacker successfully runs malicious code on a target system. This step is crucial in the attack lifecycle, as it’s the point at which the attacker’s code actually starts to perform its intended malicious activities. […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-execution\/\" \/>\n<meta property=\"og:site_name\" content=\"\u6781\u7b80IT\uff5cSimpleIT\" \/>\n<meta property=\"article:published_time\" content=\"2023-12-05T03:58:41+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-12-06T13:10:37+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/12\/image-7.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1823\" \/>\n\t<meta property=\"og:image:height\" content=\"778\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Ruian Ding\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ruian Ding\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-execution\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-execution\/\"},\"author\":{\"name\":\"Ruian Ding\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\"},\"headline\":\"ATT&CK for Enterprise – TA0002 Execution\",\"datePublished\":\"2023-12-05T03:58:41+00:00\",\"dateModified\":\"2023-12-06T13:10:37+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-execution\/\"},\"wordCount\":607,\"publisher\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\"},\"image\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-execution\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/12\/image-7.png\",\"articleSection\":[\"CyberSecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-execution\/\",\"url\":\"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-execution\/\",\"name\":\"ATT&CK for Enterprise - TA0002 Execution - \u6781\u7b80IT\uff5cSimpleIT\",\"isPartOf\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-execution\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-execution\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/12\/image-7.png\",\"datePublished\":\"2023-12-05T03:58:41+00:00\",\"dateModified\":\"2023-12-06T13:10:37+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-execution\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-execution\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-execution\/#primaryimage\",\"url\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/12\/image-7.png\",\"contentUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/12\/image-7.png\",\"width\":1823,\"height\":778},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-execution\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.ruianding.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"ATT&CK for Enterprise – TA0002 Execution\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/#website\",\"url\":\"https:\/\/www.ruianding.com\/blog\/\",\"name\":\"Ruian's Tech Troubleshooting Toolbox\",\"description\":\"Debug the World.\",\"publisher\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\"},\"alternateName\":\"\u4e01\u777f\u5b89\u7684\u6280\u672f\u5206\u4eab\u535a\u5ba2\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.ruianding.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\",\"name\":\"Ruian Ding\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png\",\"contentUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png\",\"width\":284,\"height\":284,\"caption\":\"Ruian Ding\"},\"logo\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/\"},\"description\":\"I am currently a Support Specialist at NIO, focusing on cloud-related issues for NIO Power. Previously, at Microsoft Entra ID, I specialized in identity and access management (IAM), including device registration, Windows Hello for Business (WHfB), multi-factor authentication (MFA), and single sign-on (SSO). In addition to my core expertise, I have a strong foundation in Active Directory, Servers, Cloud Computing, Network Administration, and Front-end Web Development. This diverse technical skill set enables me to effectively handle a wide range of challenges in a fast-paced IT environment.\",\"sameAs\":[\"https:\/\/www.ruianding.com\"],\"url\":\"https:\/\/www.ruianding.com\/blog\/author\/ruiand\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"ATT&CK for Enterprise - TA0002 Execution - \u6781\u7b80IT\uff5cSimpleIT","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-execution\/","og_locale":"en_US","og_type":"article","og_title":"ATT&CK for Enterprise - TA0002 Execution - \u6781\u7b80IT\uff5cSimpleIT","og_description":"Execution, Tactic TA0002 – Enterprise | MITRE ATT&CK\u00ae “Execution” in the context of cyberattack tactics refers to the process where an attacker successfully runs malicious code on a target system. This step is crucial in the attack lifecycle, as it’s the point at which the attacker’s code actually starts to perform its intended malicious activities. […]","og_url":"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-execution\/","og_site_name":"\u6781\u7b80IT\uff5cSimpleIT","article_published_time":"2023-12-05T03:58:41+00:00","article_modified_time":"2023-12-06T13:10:37+00:00","og_image":[{"width":1823,"height":778,"url":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/12\/image-7.png","type":"image\/png"}],"author":"Ruian Ding","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Ruian Ding","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-execution\/#article","isPartOf":{"@id":"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-execution\/"},"author":{"name":"Ruian Ding","@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b"},"headline":"ATT&CK for Enterprise – TA0002 Execution","datePublished":"2023-12-05T03:58:41+00:00","dateModified":"2023-12-06T13:10:37+00:00","mainEntityOfPage":{"@id":"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-execution\/"},"wordCount":607,"publisher":{"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b"},"image":{"@id":"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-execution\/#primaryimage"},"thumbnailUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/12\/image-7.png","articleSection":["CyberSecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-execution\/","url":"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-execution\/","name":"ATT&CK for Enterprise - TA0002 Execution - \u6781\u7b80IT\uff5cSimpleIT","isPartOf":{"@id":"https:\/\/www.ruianding.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-execution\/#primaryimage"},"image":{"@id":"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-execution\/#primaryimage"},"thumbnailUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/12\/image-7.png","datePublished":"2023-12-05T03:58:41+00:00","dateModified":"2023-12-06T13:10:37+00:00","breadcrumb":{"@id":"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-execution\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-execution\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-execution\/#primaryimage","url":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/12\/image-7.png","contentUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/12\/image-7.png","width":1823,"height":778},{"@type":"BreadcrumbList","@id":"https:\/\/www.ruianding.com\/blog\/attck-for-enterprise-execution\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.ruianding.com\/blog\/"},{"@type":"ListItem","position":2,"name":"ATT&CK for Enterprise – TA0002 Execution"}]},{"@type":"WebSite","@id":"https:\/\/www.ruianding.com\/blog\/#website","url":"https:\/\/www.ruianding.com\/blog\/","name":"Ruian's Tech Troubleshooting Toolbox","description":"Debug the World.","publisher":{"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b"},"alternateName":"\u4e01\u777f\u5b89\u7684\u6280\u672f\u5206\u4eab\u535a\u5ba2","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.ruianding.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b","name":"Ruian Ding","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png","contentUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png","width":284,"height":284,"caption":"Ruian Ding"},"logo":{"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/"},"description":"I am currently a Support Specialist at NIO, focusing on cloud-related issues for NIO Power. Previously, at Microsoft Entra ID, I specialized in identity and access management (IAM), including device registration, Windows Hello for Business (WHfB), multi-factor authentication (MFA), and single sign-on (SSO). In addition to my core expertise, I have a strong foundation in Active Directory, Servers, Cloud Computing, Network Administration, and Front-end Web Development. This diverse technical skill set enables me to effectively handle a wide range of challenges in a fast-paced IT environment.","sameAs":["https:\/\/www.ruianding.com"],"url":"https:\/\/www.ruianding.com\/blog\/author\/ruiand\/"}]}},"_links":{"self":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts\/1312","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/comments?post=1312"}],"version-history":[{"count":7,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts\/1312\/revisions"}],"predecessor-version":[{"id":1378,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts\/1312\/revisions\/1378"}],"wp:attachment":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/media?parent=1312"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/categories?post=1312"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/tags?post=1312"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}