Info
Tactic: Payload Execution
Execution Using Standard Applicative Flow
Adversaries may manipulate legitimate workflows so that malicious code or logic executes naturally within the application. This could involve uploading a plugin or script to a sanctioned extension interface, leveraging built-in maintenance commands, or reconfiguring app routines to auto-load attacker-supplied modules. By blending with normal processes, the malicious execution may appear as routine activity to many monitoring tools.
Manipulation of legitimate workflows also applies to customer-facing applications, where adversaries may manipulate intended behaviors to access unauthorized resources. These attacks are particularly insidious as they typically involve well-formed requests with valid identifiers and no clear malicious payload, making them indistinguishable from normal traffic to most security monitoring systems.
Such stealth relies on functional features that exist for administrators or developers - e.g., scriptable maintenance tasks, plugin loading, or advanced debugging commands. When misused, these capabilities grant the attacker code execution without needing to exploit a low-level flaw. This approach can be especially effective in cloud deployments, where organizations frequently automate complex workflows and rarely question newly introduced but valid-appearing processes.
Procedure Examples
| ID | Name | Description |
|---|---|---|
| AC-0002 | npm Supply Chain Attack (September 2025) | Malicious JavaScript code executed through normal npm package imports and browser loading processes, hooking into standard Web APIs without requiring exploitation vulnerabilities. |