Skip to content

Info

ID: AT-PE002.001
Technique: Remote Code Execution Exploitation
Tactic: Payload Execution
Platforms: Linux, macOS, Windows
Supports Remote: Yes
Version: 1.0

Dynamic Code Evaluation

Dynamic Code Evaluation is a critical subtechnique within the Payload Execution/Remote Code Execution Exploitation phase where attackers leverage functions that dynamically interpret and execute code at runtime. This approach involves exploiting application features that parse and execute strings as code, such as eval(), exec(), setTimeout(), Function(), or similar functions across various programming languages (PHP, JavaScript, Python, Ruby, etc.). Unlike traditional exploitation methods that target memory corruption, dynamic code evaluation takes advantage of legitimate application functionality to execute malicious payloads. Attackers typically inject malicious strings into parameters or variables that are subsequently passed to these evaluation functions, effectively bypassing static code analysis and traditional input validation mechanisms. This technique is particularly dangerous in web applications that process user inputs and subsequently evaluate them in a trusted context, providing attackers with direct code execution capabilities within the application's runtime environment.

Data Sources

  • Application Logs: Dynamic code evaluation function calls and execution traces
  • Process Monitoring: Process creation and execution resulting from dynamic evaluation
  • Runtime Analysis: Runtime monitoring of interpreter behavior and code execution
  • Function Call Logs: Logs of eval(), exec(), and similar dynamic execution functions

Detection

ID Data Source Detection
DS0009 Process: OS API Execution Instrument interpreters to log eval, Function, exec, reflection calls, alert when payload length diviate from expected or common pattern or contains base64/hex decode primitives.
DS0015 Application Log Detect runtime warnings like or stack-traces referencing eval paths triggered from HTTP endpoints.
DS0029 Network Traffic Content Identify inbound requests with payloads containing eval(, exec(, __import__, or language-specific gadget chains.

Mitigations

M1038 | Execution Prevention | Replace eval/exec patterns with safe interpret-less alternatives (JSON parsing, reflection allow-lists) and block eval using runtime rules. | M1041 | Input Validation | Reject user input containing language keywords (import, class, function) when passed to dynamic execution APIs. | M1048 | Application Isolation & Sandboxing | Leverage language sandboxes (e.g., PyPy sandbox, Node VM context with timeoutMemory) to constrain eval paths. |