AWS AddPermission20150331v2
Adds a permission to a Lambda function's resource-based policy, allowing specified principals to invoke the function.
Execution
Execution
Section titled “Execution”The adversary is trying to run malicious code.
Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.
In cloud environments, execution commonly involves invoking serverless functions (Lambda, Cloud Functions), running commands through instance metadata services, or leveraging cloud-native automation tools like SSM, CloudFormation, or Azure Automation. Adversaries may also abuse cloud shells and container orchestration platforms.
View Execution on MITRE ATT&CK →Events Related to Execution
Section titled “Events Related to Execution”GCP Compute.instances.setMetadata
Sets or updates instance-level metadata on a Compute Engine VM, which can include SSH keys or startup scripts.
GCP compute.projects.setCommonInstanceMetadata
Sets project-wide Compute Engine metadata, applied to all instances and commonly used to manage SSH keys.
AWS CreateStack
Creates a CloudFormation stack by provisioning AWS resources defined in a specified template.
AWS EnableSerialConsoleAccess
Enables the EC2 Serial Console at the account level, allowing direct serial port access to instances for troubleshooting.
GCP google.ssh-serialport.v1.connect
Establishes a serial console connection to a Compute Engine VM, providing low-level instance access.
AWS Invoke
Invokes a Lambda function synchronously or asynchronously, triggering its execution with an optional input payload.
Azure Microsoft.Automation/automationAccounts/jobs/write
Creates or starts a runbook job in an Azure Automation account.
Azure Microsoft.Automation/automationAccounts/runbooks/write
Creates or updates a runbook in an Azure Automation account.
Azure Microsoft.Automation/automationAccounts/webhooks/action
Triggers an Azure Automation runbook via a webhook invocation.
Azure Microsoft.Automation/automationAccounts/webhooks/write
Creates or updates a webhook that can trigger an Azure Automation runbook remotely.
Azure Microsoft.Compute/virtualMachines/extensions/write
Installs or updates a VM extension on an Azure virtual machine, which can run scripts or install software agents.
Azure Microsoft.Compute/virtualMachines/runCommand/action
Executes a script or command on an Azure VM without requiring network-based access such as SSH or RDP.
Azure Microsoft.Compute/virtualMachines/write (CustomScriptExtension)
Creates or updates an Azure VM with a Custom Script Extension, executing a script on the VM at provisioning time.
Azure Microsoft.ContainerService/managedClusters/runCommand/action
Executes a command against an AKS cluster's Kubernetes API without requiring direct network connectivity to the API server.
Azure Microsoft.SerialConsole/serialPorts/connect/action
Connects to the serial console of an Azure VM, providing low-level access without requiring network connectivity.
AWS ModifyInstanceAttribute
Modifies a specific attribute of an EC2 instance, such as its instance type, user data, or security groups.
AWS ResumeSession
Resumes a previously disconnected Systems Manager Session Manager session with a managed instance.
AWS SendCommand
Remotely executes a command or script on one or more managed instances via AWS Systems Manager Run Command.
AWS SendSerialConsoleSSHPublicKey
Pushes an SSH public key to an EC2 instance's serial console interface, enabling SSH access over the serial port.
AWS StartBuild
Starts a CodeBuild build, executing arbitrary code with the build project's IAM role credentials.
AWS StartSession
Starts an interactive Systems Manager Session Manager session with a managed EC2 instance or on-premises server.
AWS UpdateFunctionCode20150331v2
Updates the code of an existing Lambda function with a new deployment package or container image URI.
AWS UpdateFunctionConfiguration20150331v2
Updates Lambda function configuration including environment variables, IAM role, or layers — used to inject credentials or swap execution context.