The adversary is trying to run malicious code.
Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.
| ID | Name | Description | |
| T2012 | Command and Scripting Interpreter | Adversaries may abuse command and scripting interpreters to execute unauthorized commands, scripts, or binaries within vehicle systems. These interfaces provide a way for adversaries to interact with the vehicle's computer systems and execute arbitrary commands, potentially leading to unauthorized access and control over critical vehicle functions. | |
| T2013 | Container Administration Command | Adversaries may abuse the Container Administration Command technique to gain unauthorized access to vehicle systems. As containers have become the standard in the automotive industry, they are vital in the software-defined vehicle architecture, providing flexibility and faster innovation. In this context, adversaries may use the Container Administration Command technique to execute arbitrary commands within containers, allowing them to manipulate critical vehicle functions. | |
| T2014 | Deploy Container | Adversaries may deploy containers as a means of executing arbitrary code within the context of vehicle cybersecurity. By leveraging container technology, adversaries can encapsulate malicious payloads and deploy them within the vehicle's software-defined architecture. This technique allows adversaries to bypass traditional security measures and execute unauthorized code within the vehicle's computing environment, potentially leading to unauthorized access, data theft, or disruption of critical vehicle functions. | |
| T2015 | Inter-Process Communication | Adversaries may abuse inter-process communication (IPC) within vehicle systems to facilitate unauthorized execution of commands or scripts. IPC mechanisms are used by different processes within a vehicle's electronic control units (ECUs) to communicate and exchange data. This can include communication between different software components. Adversaries may abuse IPC to gain unauthorized access to critical systems and execute malicious commands, potentially leading to vehicle malfunctions or compromise of sensitive data. | |
| T2016 | Native API | Adversaries may abuse the Native API technique to execute behaviors within the context of vehicle cybersecurity. Similar to how adversaries manipulate accounts to maintain and elevate access to victim systems, they may also abuse the OS API functions to interact with and utilize various components of a vehicle's system. | |
| T2017 | Scheduled Task/Job | Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system. | |
| T2018 | System Services | Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence (Create or Modify System Process), but adversaries can also abuse services for one-time or temporary execution. | |