Execution Detection Rules
The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.
df00tech ships 62 production-ready detection rules mapped to the Execution tactic (TA0002). Each rule below includes copy-paste queries for Microsoft Sentinel (KQL), Splunk (SPL), Elastic (EQL), QRadar, Sumo Logic, Chronicle and LogScale, with data-source requirements, severity and false-positive guidance — free to use.
Execution detections (62)
- CVE-2024-3400 Palo Alto PAN-OS GlobalProtect Command Injection (Operation MidnightEclipse)
- CVE-2024-21413 Microsoft Outlook RCE via Moniker Link (MonikerLink)
- CVE-2024-21887 Ivanti Connect Secure Authenticated Command Injection (Chained with CVE-2023-46805)
- CVE-2024-23897 Jenkins Arbitrary File Read via CLI Argument Parser (Pre-Auth RCE Chain)
- CVE-2024-30078 Windows Wi-Fi Driver Remote Code Execution via Adjacent Network
- CVE-2024-38112 Windows MSHTML Spoofing via .url File Phishing (Void Banshee)
- CVE-2025-21298 Windows OLE Remote Code Execution via Malicious RTF Document
- CVE-2025-68670 xrdp Unauthenticated Stack Buffer Overflow via RDP Connection Sequence
- CVE-2026-1731 BeyondTrust Remote Support Pre-Auth Remote Code Execution
- T1047 Windows Management Instrumentation
- T1053 Scheduled Task/Job
- T1053.002 At
- T1053.003 Cron
- T1053.004 Launchd
- T1053.005 Scheduled Task
- T1053.006 Systemd Timers
- T1053.007 Container Orchestration Job
- T1059 Command and Scripting Interpreter
- T1059.001 PowerShell
- T1059.002 AppleScript
- T1059.003 Windows Command Shell
- T1059.004 Unix Shell
- T1059.005 Visual Basic
- T1059.006 Python
- T1059.007 JavaScript
- T1059.008 Network Device CLI
- T1059.009 Cloud API
- T1059.010 AutoHotKey & AutoIT
- T1059.011 Lua
- T1059.012 Hypervisor CLI
- T1059.013 Container CLI/API
- T1061 Graphical User Interface
- T1064 Scripting
- T1072 Software Deployment Tools
- T1106 Native API
- T1129 Shared Modules
- T1153 Source
- T1175 Component Object Model and Distributed COM
- T1203 Exploitation for Client Execution
- T1204 User Execution
- T1204.001 Malicious Link
- T1204.002 Malicious File
- T1204.003 Malicious Image
- T1204.004 Malicious Copy and Paste
- T1204.005 Malicious Library
- T1559 Inter-Process Communication
- T1559.001 Component Object Model
- T1559.002 Dynamic Data Exchange
- T1559.003 XPC Services
- T1569 System Services
- T1569.001 Launchctl
- T1569.002 Service Execution
- T1569.003 Systemctl
- T1609 Container Administration Command
- T1610 Deploy Container
- T1648 Serverless Execution
- T1651 Cloud Administration Command
- T1674 Input Injection
- T1675 ESXi Administration Command
- T1677 Poisoned Pipeline Execution
- THREAT-InitialAccess-PhishingMacro Phishing Document Macro Execution and Initial Access
- THREAT-LateralMovement-SMBPsExec Lateral Movement via SMB and PsExec-Style Remote Execution