# TA0002 — Execution ## Descrição A tática de Execução engloba as técnicas usadas pelo adversário para **fazer código malicioso rodar** no sistema da vítima. Após obter acesso inicial, o atacante precisa executar seu payload — sejá um script PowerShell, um binário nativo, um comando via WMI, ou código JavaScript em um browser. A execução é o núcleo operacional do ataque: sem ela, não há impacto. Adversários modernos preferem técnicas de execução que abusam de componentes legítimos do sistema operacional (Living Off the Land — LOTL): [[t1059-001-powershell|PowerShell]], [[t1059-003-windows-command-shell|cmd.exe]], [[t1047-windows-management-instrumentation|WMI]] e ferramentas de administração remota. Isso dificulta a detecção por soluções de antivírus tradicionais baseadas em assinaturas, pois o código malicioso é executado por processos confiáveis. A combinação de [[t1059-command-scripting-interpreter|T1059 - Command and Scripting Interpreter]] com técnicas de ofuscação ([[t1027-obfuscated-files|T1027]]) é a abordagem padrão de grupos como [[g0016-apt29|APT29]], [[g0096-apt41|APT41]] e operadores de ransomware que precisam contornar controles de segurança modernos. ## Posição no Kill Chain ```mermaid graph TB R["Reconhecimento"]:::inactive --> RD["Desenvolvimento<br/>de Recursos"]:::inactive RD --> IA["Acesso Inicial"]:::inactive IA --> EX["⚡ Execução"]:::active EX --> PE["Persistência"]:::inactive PE --> PR["Esc. Privilégios"]:::inactive PR --> DE["Evasão de Defesas"]:::inactive DE --> CA["Acesso a<br/>Credenciais"]:::inactive CA --> DI["Descoberta"]:::inactive DI --> LM["Mov. Lateral"]:::inactive LM --> CO["Coleta"]:::inactive CO --> C2["Comando e<br/>Controle"]:::inactive C2 --> EXF["Exfiltração"]:::inactive EXF --> IM["Impacto"]:::inactive classDef active fill:#e74c3c,color:#fff,stroke:#c0392b,stroke-width:3px classDef inactive fill:#2c3e50,color:#95a5a6,stroke:#1a252f ``` ## Técnicas desta Tática no Vault %% ```dataview TABLE WITHOUT ID link(file.link, title) AS "Nota", mitre-id AS "ID", title AS "Técnica", platforms AS "Plataformas" FROM "ttp/techniques" WHERE contains(mitre-tactic, "Execution") SORT mitre-id ASC ``` %% <!-- QueryToSerialize: TABLE WITHOUT ID link(file.link, title) AS "Nota", mitre-id AS "ID", title AS "Técnica", platforms AS "Plataformas" FROM "ttp/techniques" WHERE contains(mitre-tactic, "Execution") SORT mitre-id ASC --> <!-- SerializedQuery: TABLE WITHOUT ID link(file.link, title) AS "Nota", mitre-id AS "ID", title AS "Técnica", platforms AS "Plataformas" FROM "ttp/techniques" WHERE contains(mitre-tactic, "Execution") SORT mitre-id ASC --> | Nota | ID | Técnica | Plataformas | | ------------------------------------------------------------------------------------------------------------------------------- | --------- | -------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ | | [[t1047-windows-management-instrumentation\|T1047 - Windows Management Instrumentation]] | T1047 | T1047 - Windows Management Instrumentation | <ul><li>Windows</li></ul> | | [[t1053-scheduled-task-job\|T1053 - Scheduled Task/Job]] | T1053 | T1053 - Scheduled Task/Job | <ul><li>Windows</li><li>Linux</li><li>macOS</li><li>Containers</li></ul> | | [[t1053-scheduled-taskjob\|T1053 - Scheduled Task/Job]] | T1053 | T1053 - Scheduled Task/Job | <ul><li>Windows</li><li>Linux</li><li>macOS</li><li>Containers</li><li>ESXi</li></ul> | | [[t1053-002-at\|T1053.002 - At]] | T1053.002 | T1053.002 - At | <ul><li>Windows</li><li>Linux</li><li>macOS</li></ul> | | [[t1053-003-cron\|T1053.003 - Cron]] | T1053.003 | T1053.003 - Cron | <ul><li>Linux</li><li>macOS</li><li>ESXi</li></ul> | | [[t1053-005-scheduled-task\|T1053.005 - Scheduled Task]] | T1053.005 | T1053.005 - Scheduled Task | <ul><li>Windows</li></ul> | | [[t1053-006-systemd-timers\|T1053.006 - Systemd Timers]] | T1053.006 | T1053.006 - Systemd Timers | <ul><li>Linux</li></ul> | | [[t1053-007-container-orchestration-job\|T1053.007 - Container Orchestration Job]] | T1053.007 | T1053.007 - Container Orchestration Job | <ul><li>Containers</li></ul> | | [[t1059-command-and-scripting-interpreter\|T1059 - Command and Scripting Interpreter]] | T1059 | T1059 - Command and Scripting Interpreter | <ul><li>ESXi</li><li>IaaS</li><li>Identity Provider</li><li>Linux</li><li>macOS</li><li>Network Devices</li><li>Office Suite</li><li>Windows</li></ul> | | [[t1059-command-scripting-interpreter\|T1059 - Command and Scripting Interpreter]] | T1059 | T1059 - Command and Scripting Interpreter | <ul><li>Windows</li><li>macOS</li><li>Linux</li><li>Network</li></ul> | | [[t1059-001-powershell\|T1059.001 - PowerShell]] | T1059.001 | T1059.001 - PowerShell | <ul><li>Windows</li></ul> | | [[t1059-002-applescript\|T1059.002 - AppleScript]] | T1059.002 | T1059.002 - AppleScript | <ul><li>macOS</li></ul> | | [[t1059-003-windows-command-shell\|T1059.003 - Windows Command Shell]] | T1059.003 | T1059.003 - Windows Command Shell | <ul><li>Windows</li></ul> | | [[t1059-004-unix-shell\|T1059.004 - Unix Shell]] | T1059.004 | T1059.004 - Unix Shell | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Network Devices</li></ul> | | [[t1059-005-visual-basic\|T1059.005 - Visual Basic]] | T1059.005 | T1059.005 - Visual Basic | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1059-006-python\|T1059.006 - Python]] | T1059.006 | T1059.006 - Python | <ul><li>ESXi</li><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1059-007-javascript\|T1059.007 - JavaScript]] | T1059.007 | T1059.007 - JavaScript | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1059-008-network-device-cli\|T1059.008 - Network Device CLI]] | T1059.008 | T1059.008 - Network Device CLI | <ul><li>Network Devices</li></ul> | | [[t1059-009-cloud-api\|T1059.009 - Cloud API]] | T1059.009 | T1059.009 - Cloud API | <ul><li>IaaS</li><li>Identity Provider</li><li>Office Suite</li><li>SaaS</li></ul> | | [[t1059-010-autohotkey-autoit\|T1059.010 - AutoHotKey & AutoIT]] | T1059.010 | T1059.010 - AutoHotKey & AutoIT | <ul><li>Windows</li></ul> | | [[t1059-011-lua\|T1059.011 - Lua]] | T1059.011 | T1059.011 - Lua | <ul><li>Linux</li><li>Network Devices</li><li>Windows</li><li>macOS</li></ul> | | [[t1059-012-hypervisor-cli\|T1059.012 - Hypervisor CLI]] | T1059.012 | T1059.012 - Hypervisor CLI | <ul><li>ESXi</li></ul> | | [[t1059-013-container-cliapi\|T1059.013 - Container CLI/API]] | T1059.013 | T1059.013 - Container CLI/API | <ul><li>Containers</li></ul> | | [[t1072-software-deployment-tools\|T1072 - Software Deployment Tools]] | T1072 | T1072 - Software Deployment Tools | <ul><li>Linux</li><li>macOS</li><li>Network Devices</li><li>SaaS</li><li>Windows</li></ul> | | [[t1106-native-api\|T1106 - Native API]] | T1106 | T1106 - Native API | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1129-shared-modules\|T1129 - Shared Modules]] | T1129 | T1129 - Shared Modules | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1203-exploitation-client-execution\|T1203 - Exploitation for Client Execution]] | T1203 | T1203 - Exploitation for Client Execution | <ul><li>Windows</li><li>macOS</li><li>Linux</li></ul> | | [[t1203-exploitation-for-client-execution\|T1203 - Exploitation for Client Execution]] | T1203 | T1203 - Exploitation for Client Execution | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1204-user-execution\|T1204 - User Execution]] | T1204 | T1204 - User Execution | <ul><li>Linux</li><li>Windows</li><li>macOS</li><li>IaaS</li><li>Containers</li></ul> | | [[t1204-001-malicious-link\|T1204.001 - Malicious Link]] | T1204.001 | T1204.001 - Malicious Link | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1204-002-malicious-file\|T1204.002 - Malicious File]] | T1204.002 | T1204.002 - Malicious File | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1204-003-malicious-image\|T1204.003 - Malicious Image]] | T1204.003 | T1204.003 - Malicious Image | <ul><li>IaaS</li><li>Containers</li></ul> | | [[t1204-004-malicious-copy-and-paste\|T1204.004 - Malicious Copy and Paste]] | T1204.004 | T1204.004 - Malicious Copy and Paste | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1204-005-malicious-library\|T1204.005 - Malicious Library]] | T1204.005 | T1204.005 - Malicious Library | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1559-inter-process-communication\|T1559 - Inter-Process Commúnication]] | T1559 | T1559 - Inter-Process Commúnication | <ul><li>Linux</li><li>macOS</li><li>Windows</li></ul> | | [[t1559-001-component-object-model\|T1559.001 - Component Object Model]] | T1559.001 | T1559.001 - Component Object Model | <ul><li>Windows</li></ul> | | [[t1559-002-dynamic-data-exchange\|T1559.002 - Inter-Process Commúnication: Dynamic Data Exchange]] | T1559.002 | T1559.002 - Inter-Process Commúnication: Dynamic Data Exchange | <ul><li>Windows</li></ul> | | [[t1559-003-xpc-services\|T1559.003 - XPC Services]] | T1559.003 | T1559.003 - XPC Services | <ul><li>macOS</li></ul> | | [[t1569-system-services\|T1569 - System Services]] | T1569 | T1569 - System Services | <ul><li>Windows</li><li>macOS</li><li>Linux</li></ul> | | [[t1569-001-launchctl\|T1569.001 - Launchctl]] | T1569.001 | T1569.001 - Launchctl | <ul><li>macOS</li></ul> | | [[t1569-002-service-execution\|T1569.002 - Service Execution]] | T1569.002 | T1569.002 - Service Execution | <ul><li>Windows</li></ul> | | [[t1569-003-systemctl\|T1569.003 - Systemctl]] | T1569.003 | T1569.003 - Systemctl | <ul><li>Linux</li></ul> | | [[t1609-container-administration-command\|T1609 - Container Administration Command]] | T1609 | T1609 - Container Administration Command | <ul><li>Containers</li></ul> | | [[t1648-serverless-execution\|T1648 - Serverless Execution]] | T1648 | T1648 - Serverless Execution | <ul><li>SaaS</li><li>IaaS</li><li>Office Suite</li></ul> | | [[t1651-cloud-administration-command\|T1651 - Cloud Administration Command]] | T1651 | T1651 - Cloud Administration Command | <ul><li>IaaS</li></ul> | | [[ttp/techniques/execution/t1671-cloud-application-integration.md\|T1671 - Cloud Application Integration]] | T1671 | T1671 - Cloud Application Integration | <ul><li>SaaS</li><li>IaaS</li><li>Office Suite</li></ul> | | [[t1674-input-injection\|T1674 - Input Injection]] | T1674 | T1674 - Input Injection | <ul><li>Windows</li><li>macOS</li><li>Linux</li></ul> | | [[t1675-esxi-administration-command\|T1675 - ESXi Administration Command]] | T1675 | T1675 - ESXi Administration Command | <ul><li>ESXi</li></ul> | | [[t1677-poisoned-pipeline-execution\|T1677 - Poisoned Pipeline Execution]] | T1677 | T1677 - Poisoned Pipeline Execution | <ul><li>SaaS</li></ul> | <!-- SerializedQuery END --> ## Mindmap — Técnicas de Execução ```mermaid mindmap root((TA0002<br/>Execution)) Scripting T1059 Command and Scripting Interpreter T1059.001 PowerShell T1059.003 Windows Command Shell T1059.005 Visual Basic T1059.007 JavaScript T1059.006 Python Agendamento T1053 Scheduled Task/Job T1053.005 Scheduled Task T1053.003 Cron Serviços do SO T1047 WMI T1569 System Services T1106 Native API Exploração T1203 Exploitation for Client Execution Browser Exploits Office Exploits Interação do Usuário T1204 User Execution T1204.001 Malicious Link T1204.002 Malicious File ``` ## Atores que Utilizam esta Tática | Ator | Técnica de Execução Preferida | |------|-------------------------------| | [[Cozy Bear]] | PowerShell obfuscado, WMI para persistência sem arquivo | | [[g0096-apt41\|APT41]] | WMI, Scheduled Tasks, múltiplos interpreters | | [[g0032-lazarus-group\|Lazarus Group]] | PowerShell, VBS maliciosos em decoys de documentos | | [[TA505]] | PowerShell, cmd.exe pós-exploração de vulns | | [[lockbit\|LockBit Operators]] | PsExec, WMIC, PowerShell para deploy em massa | ## Detecção e Mitigação ### Detecção - **PowerShell Script Block Logging:** Habilitar logging de blocos de script (Event ID 4104) para capturar comandos ofuscados - **AMSI (Antimalware Scan Interface):** Integração com soluções EDR para interceptar execução de scripts - **Sysmon Event ID 1:** Process creation com command line completo - **WMI Activity Logging:** Event ID 4688 + Sysmon Event ID 20 para WMI subscriptions - **EDR Behavioral Rules:** Detecção de parent/child process suspeitos (Office → PowerShell, mshta → cmd) ### Mitigação - **AppLocker / Windows Defender Application Control:** Restringir execução a binários assinados - **Constrained Language Mode (PowerShell):** Limitar capacidades do PowerShell para usuários comuns - **Desabilitar macros do Office** para documentos de fontes externas (Protected View + bloco de macros) - **Attack Surface Reduction (ASR) Rules:** No Defender — bloquear Office criando processos filhos ## Relevância LATAM/Brasil Malware bancário brasileiro — [[s0531-grandoreiro|Grandoreiro]], [[mekotio|Mekotio]], [[s0528-javali|Javali]] — utiliza extensivamente VBS e PowerShell para execução. A cadeia típica é: e-mail com link → download de arquivo ZIP → VBS que baixa e executa payload Delphi. Scripts AutoHotKey e VBScript são populares no ecossistema de malware LATAM por serem mais simples de desenvolver e menos detectados que binários PE em ambientes sem EDR avançado. - [[ta0001-initial-access|TA0001 - Initial Access]] — fase anterior - [[ta0003-persistence|TA0003 - Persistence]] — fase seguinte - [[t1059-command-scripting-interpreter|T1059 - Command and Scripting Interpreter]] — técnica central - [[t1059-001-powershell|T1059.001 - PowerShell]] — mais comum em ambientes Windows - [[t1047-windows-management-instrumentation|T1047 - WMI]] — execução via serviço legítimo - [[t1204-user-execution|T1204 - User Execution]] — execução via interação humana - [[t1203-exploitation-client-execution|T1203 - Exploitation for Client Execution]] — exploit em cliente - [[_techniques|Índice de Técnicas]] — visão geral de todas as técnicas documentadas ## Referências - [[ta0002-*|MITRE ATT&CK - TA0002 Execution]] - [Microsoft — PowerShell Logging Best Practices](https://docs.microsoft.com/en-us/powershell/scripting/windows-powershell/wmf/whats-new/script-logging)