---
type: "term"
title: "R-EXEC (Foreign Execution Recording Rule)"
description: "Global mapping rule: Whenever Foreign Executable Content (FEC) is interpreted, loaded, or executed, a 7 Malware step MUST be recorded at the moment of execution, independent of how execution was enabled."
resource: "tlctc:term:r-exec-foreign-execution-recording-rule"
tags:
  - "glossary"
---
# R-EXEC (Foreign Execution Recording Rule)

Global mapping rule: Whenever Foreign Executable Content (FEC) is interpreted, loaded, or executed, a `#7 Malware` step MUST be recorded at the moment of execution, independent of how execution was enabled. `#7` is additive (does not replace the enabling cluster).

**Reference:** §4.2.5 (R-EXEC)

**Related reading:** [Cobalt Strike capabilities × TLCTC V2.0](https://www.tlctc.net/tlctc-cobaltstrike-mapping.html), [The File Type Fallacy — extension blocklists](https://www.tlctc.net/tlctc-file-type-fallacy.html), [GovCERT-CH blocked filetypes × TLCTC](https://www.tlctc.net/tlctc-govcert-blocked-filetypes.html)