The Mitre Att&ck Matrix has defined 13 techniques in the Execution category of a Cyber Attack.
Command and Scripting Interpreter This is a script or program a threat actor executes on their target’s host that can interpret and execute commands issued by the threat actor. Web shells would be an example of this.
Container Administration Command This is when a threat actor can access utilities that manage containers like Docker or Kubernetes, enabling the threat actor to interact with Docker/Kubernetes containers or break out of a container they are in.
Deploy Container is similar to the above technique. Only they utilize it to deploy containers that the threat actor has created to deploy malware or establish persistence.
Exploitation for Client Execution This is when a threat actor utilizes an exploit to execute malware. Another example is executing malware embedded in a document such as a .pdf. One Note is becoming a recent example.
Inter-Process Communication This is when your abusing mechanism’s programs use to communicate with each other to execute code. Buffer overflows are an example of this.
Native API This is when the threat actor utilizes a flaw in a service’s API functionality to access data or services.
Scheduled Task/Job This is when a threat actor determines that some tasks run at set intervals. When a scheduled task gets modified, programs can run with elevated privileges.
Serverless Execution in cloud environments if serverless web servers get incorrectly configured, then arbitrary commands can execute. Privileges could get assigned to cloud IAM accounts.
Shared Modules This is when a malicious DLL or library gets swapped from a legitimate DLL or library. The result is code execution.
Software Deployment Tools This is when a threat actor utilizes a flaw in a commonly used Tool throughout the network to gain code execution.
System Services is when a misconfigured service enables malware execution. A malicious executable can be stored in a similarly named folder to get executed before the legitimate service gets executed.
User Execution. Malware executed by an end user.
Windows Management Instrumentation This is when the threat actor utilizes the Windows Management Instrumentation framework to execute malicious commands or deliberately misconfigure components of a windows environment. Enabling persistence or ensuring malware remains running.