Description
Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Several types exist:
### Browser-based Exploitation
Web browsers are a common target through Drive-by Compromise and Spearphishing Link. Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.
### Office Applications
Common office and productivity applications such as Microsoft Office are also targeted through Phishing. Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.
### Common Third-party Applications
Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.
Platforms
Mitigations (3)
Exploit ProtectionM1050
Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Con
Update SoftwareM1051
Perform regular software updates to mitigate exploitation risk. Keeping software up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities in client software, reducing the risk of successful attacks.
Application Isolation and SandboxingM1048
Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. (Citation: Windows Blogs Microsoft Edge Sandbox) (Citation: Ars Technica Pwn2Own 2017 VM Escape)
Other types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. Risks of additional exploits and weaknesses in those systems may
Threat Groups (41)
| ID | Group | Context |
|---|---|---|
| G0121 | Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has exploited vulnerabilities to gain execution including CVE-2017-11882 and CVE-2020-0674.(Citati... |
| G1031 | Saint Bear | [Saint Bear](https://attack.mitre.org/groups/G1031) has leveraged vulnerabilities in client applications such as CVE-2017-11882 in Microsoft Office to... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has exploited Microsoft Office vulnerability CVE-2017-0262 for execution.(Citation: Securelist Sofacy F... |
| G0027 | Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) has exploited CVE-2018-0798 in Equation Editor.(Citation: Trend Micro Iron Tiger April 2021... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has exploited vulnerabilities in Microsoft PowerPoint via OLE objects (CVE-2014-4114) and Micro... |
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has exploited CVE-2011-0611 in Adobe Flash Player to gain execution on a targeted system.(Citation:... |
| G0138 | Andariel | [Andariel](https://attack.mitre.org/groups/G0138) has exploited numerous ActiveX vulnerabilities, including zero-days.(Citation: FSI Andariel Campaign... |
| G0089 | The White Company | [The White Company](https://attack.mitre.org/groups/G0089) has taken advantage of a known vulnerability in Microsoft Word (CVE 2012-0158) to execute ... |
| G1011 | EXOTIC LILY | [EXOTIC LILY](https://attack.mitre.org/groups/G1011) has used malicious documents containing exploits for CVE-2021-40444 affecting Microsoft MSHTML.(C... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has exploited Adobe Flash vulnerability CVE-2018-4878 for execution.(Citation: McAfee Bankshot) |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used multiple software exploits for common client software, like Microsoft Word, Exchange, and Adob... |
| G0098 | BlackTech | [BlackTech](https://attack.mitre.org/groups/G0098) has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities CV... |
| G0142 | Confucius | [Confucius](https://attack.mitre.org/groups/G0142) has exploited Microsoft Office vulnerabilities, including CVE-2015-1641, CVE-2017-11882, and CVE-20... |
| G0040 | Patchwork | [Patchwork](https://attack.mitre.org/groups/G0040) uses malicious documents to deliver remote execution exploits as part of. The group has previously ... |
| G0005 | APT12 | [APT12](https://attack.mitre.org/groups/G0005) has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities (CVE-2... |
| G0001 | Axiom | [Axiom](https://attack.mitre.org/groups/G0001) has used exploits for multiple vulnerabilities including CVE-2014-0322, CVE-2012-4792, CVE-2012-1889, a... |
| G0126 | Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126) has exploited CVE-2018-0798 for execution.(Citation: PTSecurity Higaisa 2020) |
| G0080 | Cobalt Group | [Cobalt Group](https://attack.mitre.org/groups/G0080) had exploited multiple vulnerabilities for execution, including Microsoft’s Equation Editor (CVE... |
| G0065 | Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has exploited multiple Microsoft Office and .NET vulnerabilities for execution, including CVE-2017-... |
| G0067 | APT37 | [APT37](https://attack.mitre.org/groups/G0067) has used exploits for Flash Player (CVE-2016-4117, CVE-2018-4878), Word (CVE-2017-0199), Internet Explo... |
Associated Software (14)
| ID | Name | Type | Context |
|---|---|---|---|
| S0331 | Agent Tesla | Malware | [Agent Tesla](https://attack.mitre.org/software/S0331) has exploited Office vulnerabilities such as CVE-2017-11882 and CVE-2017-8570 for execution dur... |
| S0239 | Bankshot | Malware | [Bankshot](https://attack.mitre.org/software/S0239) leverages a known zero-day vulnerability in Adobe Flash to execute the implant into the victims’ m... |
| S1154 | VersaMem | Malware | [VersaMem](https://attack.mitre.org/software/S1154) was installed through exploitation of CVE-2024-39717 in Versa Director servers.(Citation: Lumen Ve... |
| S1207 | XLoader | Malware | [XLoader](https://attack.mitre.org/software/S1207) has exploited Office vulnerabilities during local execution such as CVE-2017-11882 and CVE-2018-079... |
| S0396 | EvilBunny | Malware | [EvilBunny](https://attack.mitre.org/software/S0396) has exploited CVE-2011-4369, a vulnerability in the PRC component in Adobe Reader.(Citation: Cyph... |
| S0341 | Xbash | Malware | [Xbash](https://attack.mitre.org/software/S0341) can attempt to exploit known vulnerabilities in Hadoop, Redis, or ActiveMQ when it finds those servic... |
| S0578 | SUPERNOVA | Malware | [SUPERNOVA](https://attack.mitre.org/software/S0578) was installed via exploitation of a SolarWinds Orion API authentication bypass vulnerability (CVE... |
| S0458 | Ramsay | Malware | [Ramsay](https://attack.mitre.org/software/S0458) has been embedded in documents exploiting CVE-2017-0199, CVE-2017-11882, and CVE-2017-8570.(Citation... |
| S0374 | SpeakUp | Malware | [SpeakUp](https://attack.mitre.org/software/S0374) attempts to exploit the following vulnerabilities in order to execute its malicious script: CVE-201... |
| S0391 | HAWKBALL | Malware | [HAWKBALL](https://attack.mitre.org/software/S0391) has exploited Microsoft Office vulnerabilities CVE-2017-11882 and CVE-2018-0802 to deliver the pay... |
| S0243 | DealersChoice | Malware | [DealersChoice](https://attack.mitre.org/software/S0243) leverages vulnerable versions of Flash to perform execution.(Citation: Sofacy DealersChoice) |
| S1065 | Woody RAT | Malware | [Woody RAT](https://attack.mitre.org/software/S1065) has relied on CVE-2022-30190 (Follina) for execution during delivery.(Citation: MalwareBytes Wood... |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) can exploit Oracle Java vulnerabilities for execution, including CVE-2011-3544, CVE-2013-2465... |
| S0260 | InvisiMole | Malware | [InvisiMole](https://attack.mitre.org/software/S0260) has installed legitimate but vulnerable Total Video Player software and wdigest.dll library driv... |
Frequently Asked Questions
What is T1203 (Exploitation for Client Execution)?
T1203 is a MITRE ATT&CK technique named 'Exploitation for Client Execution'. It belongs to the Execution tactic(s). Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior....
How can T1203 be detected?
Detection of T1203 (Exploitation for Client Execution) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1203?
There are 3 documented mitigations for T1203. Key mitigations include: Exploit Protection, Update Software, Application Isolation and Sandboxing.
Which threat groups use T1203?
Known threat groups using T1203 include: Sidewinder, Saint Bear, APT28, Threat Group-3390, Sandworm Team, Dragonfly, Andariel, The White Company.