T1203: Exploitation for Client Execution

Data from MITRE ATT&CK®:

Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.

Several types exist:

Browser-based Exploitation

Web browsers are a common target through Drive-by Compromise and Spearphishing Link. Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.

Office Applications

Common office and productivity applications such as Microsoft Office are also targeted through Phishing. Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.

Common Third-party Applications

Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Exploit Protection

Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

Application Isolation and Sandboxing

Restrict execution of code to a virtual environment on or in transit to an endpoint system.

Application Log Content (Application Log)

Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)

Process Creation (Process)

The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)

Antivirus Exploitation Framework Detection

antivirus

Equation Editor Network Connection

windows network connection

Office Application Initiated Network Connection To Non-Local IP

windows network connection

Java Running with Remote Debugging

windows process creation

OMIGOD SCX RunAsProvider ExecuteShellCommand

linux process creation

Audit CVE Event

windows

Download From Suspicious TLD - Whitelist

proxy

Suspicious HWP Sub Processes

windows process creation

Potentially Suspicious Child Process Of WinRAR.EXE

windows process creation

Suspicious Spool Service Child Process

windows process creation

OMIGOD HTTP No Authentication RCE

zeek

OMIGOD SCX RunAsProvider ExecuteScript

linux process creation

Download From Suspicious TLD - Blacklist

proxy

OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd

linux

Suspicious Browser Child Process - MacOS

macos process creation