Payload Execution
Payload Execution consists of techniques adversaries use to trigger execution of previously delivered malicious content within an application’s runtime. This includes exploiting insecure deserialization or template engines, abusing serverless function invocations, leveraging injection flaws (SQL, command, template), or scheduling jobs to run malicious code. Payload execution tactics transform planted artifacts into active compromise by leveraging legitimate application functionality to achieve code execution.
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| AM-M0007 | Application Allowlisting | Implement application allowlisting to control which executables are permitted to run on systems. |
| AM-M0038 | Behavior Prevention on Endpoint | Deploy endpoint detection and response (EDR) solutions to identify and block suspicious execution patterns. |
| AM-M0022 | Execution Prevention | Utilize software restriction policies and other execution prevention mechanisms to limit unauthorized code execution. |
| AM-M0039 | Antivirus/Antimalware | Deploy and maintain up-to-date antivirus and antimalware solutions to detect and prevent known malicious code execution. |