Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Several types exist:
Web browsers are a common target through Drive-by Compromise and Spearphishing Link. Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.
Common office and productivity applications such as Microsoft Office are also targeted through Phishing. Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.
Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-vt | Intel Virtualization Technology | Win 11, VBS, Memory Integrity | T1203 | Exploitation for Client Execution |
Comments
Memory integrity is a Virtualization-based security feature that protects and hardens Windows by running kernel mode code integrity within the isolated virtual environment of VBS (VBS uses Intel VT-x). Memory integrity also restricts kernel memory allocations that could be used to compromise the system. Memory integrity is sometimes referred to as hypervisor-protected code integrity (HVCI). VBS provides an isolated environment that acts as a root-of-trust for the OS and its core components. It is enabled by Intel VT-x, VT-x2 with Extended Page Tables, SMMUs (Intel VT-d) and Secure Boot (Intel Boot Guard).
Memory Integrity protects against behaviors that involve exploitation of kernel components including core drivers in memory, changing security configurations and running untrusted code (based on signatures).
"HVCI protects modification of the Control Flow Guard (CFG) bitmap for kernel mode drivers. Protects the kernel mode code integrity process that ensures that other trusted kernel processes have a valid certificate."
"Hypervisor-protected code integrity introduces a new rule that no kernel memory pages are both writeable and executable, which eliminates an entire category of attacks that dynamically generate code. Additionally, HVCI comes enabled with a code integrity security policy that blocks drivers known to be used in kernel tampering, including Mimikatz, the old vulnerable VBox driver, and the Capcom driver commonly used in rootkits. Ultimately, HVCI provides optimal protection for the kernel against tampering and escalation of privilege attacks. ... With HVCI enabled, attempts to modify the process structures will fail, preventing the protected process flag from being removed, which prevents process memory inspection or module injection into LSA."
References
|
| intel-vt | Intel Virtualization Technology | Win 11, HWESP | T1203 | Exploitation for Client Execution |
Comments
HW Enforced stack protection (HWESP) relies on Virtualization Based Security (VBS) which use Intel PTT, Intel VT-x, Intel VT-d and Intel BootGuard to ensure the OS components loaded are not tampered with and isolate security sensitive processes. Additionally, it uses Intel Control Flow Enforcement Technology (Intel CET) to allow hardware to ensure that sensitive areas in the regions of memory (such as the stack) for processes are not tampered with by either injecting code or changing the control flow of the code or both.
HWESP includes four components Code Integrity Guard, Arbitrary Code Guard, Control Flow Guard and Shadow Stack protections.
Code Integrity Guard attempts to prevent "... arbitrary code generation by enforcing signature requirements for loading binaries".
Arbitrary Code Guard attempts to ensure "... signed pages are immutable and dynamic code cannot be generated ...".
Control Flow Guard ensures control flow integrity by enforcing "... integrity on indirect calls (forward-edge CFI)."
Shadow Stack ensures control flow integrity by enforcing "... integrity on return addresses on the stack (backward-edge CFI)."
Together these features aim to ensure integrity of binary images run on Windows 11 and prevent dynamic code from running or changing the control flow of the code. Since these features offer real-time protection for sensitive regions of memory, these are marked as offering significant protection.
References
|
| intel-pt | Intel Processor Trace | Crowdstrike HEED | T1203 | Exploitation for Client Execution |
Comments
CrowdStrike Falcon Hardware Enhanced Exploit Detection (HEED) is an advanced security feature that integrates Intel Processor Trace (Intel PT) technology to provide enhanced visibility into sophisticated attack techniques, including real-time detection of exploits designed for client execution. These attacks often involve adversaries exploiting vulnerabilities within applications, services, or the operating system to redirect control flow and execute malicious code on client systems.
Intel PT offers deep insights into program execution at the hardware level, capturing critical telemetry such as control flow, memory access, and instruction execution in real-time. This detailed telemetry allows security teams to detect abnormal behaviors, including suspicious code paths, unexpected execution flows, and attempts to hijack legitimate processes. By monitoring these low-level activities, HEED makes it easier to identify exploitation attempts that aim to gain control of client systems and bypass traditional security measures.
By combining Intel PT’s granular telemetry with advanced detection algorithms, HEED provides a powerful defense against evasive attack techniques that may evade detection by conventional security tools. This proactive approach enables organizations to quickly identify and mitigate client execution exploits, enhancing protection for critical systems and reducing the risk of compromise from evolving cyber threats
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CVE-2023-26369 | Adobe Acrobat and Reader Out-of-Bounds Write Vulnerability | primary_impact | T1203 | Exploitation for Client Execution |
Comments
This vulnerability is exploited through a user opening a malicious PDF file.
References
|
| CVE-2023-21608 | Adobe Acrobat and Reader Use-After-Free Vulnerability | primary_impact | T1203 | Exploitation for Client Execution |
Comments
This vulnerability is exploited by having a user open a maliciously-crafted pdf file, which can result in arbitrary code execution.
References
|
| CVE-2021-21206 | Google Chromium Blink Use-After-Free Vulnerability | exploitation_technique | T1203 | Exploitation for Client Execution |
Comments
CVE-2021-21206 allows an adversary to use JavaScript to exploit the Blink rendering engine of the Chromium Browser that allows for execution of arbitrary code.
References
|
| CVE-2021-30554 | Google Chromium WebGL Use-After-Free Vulnerability | exploitation_technique | T1203 | Exploitation for Client Execution |
Comments
CVE-2021-30554 allows an adversary to use JavaScript to exploit WebGL component of the Chromium browser that allows for execution of arbitrary code.
References
|
| CVE-2021-37975 | Google Chromium V8 Use-After-Free Vulnerability | primary_impact | T1203 | Exploitation for Client Execution |
Comments
CVE-2021-37975 allows an adversary to use JavaScript to exploit the Chromium browser V8 JavaScript engine which allows for a write into the heap.
References
|
| CVE-2021-21148 | Google Chromium V8 Heap Buffer Overflow Vulnerability | primary_impact | T1203 | Exploitation for Client Execution |
Comments
CVE-2021-21148 allows an adversary to use JavaScript to exploit the Chromium browser V8 JavaScript engine which allows for a write into the heap.
References
|
| CVE-2021-21166 | Google Chromium Race Condition Vulnerability | primary_impact | T1203 | Exploitation for Client Execution |
Comments
CVE-2021-21166 allows an adversary to use JavaScript to exploit the Chromium browser via the audio object using a race condition to write into the heap.
References
|
| CVE-2024-5274 | Google Chromium V8 Type Confusion Vulnerability | primary_impact | T1203 | Exploitation for Client Execution |
Comments
This vulnerability is exploited by the hosting of malicious content on a website. Adversaries use this to deliver an information-stealing payload within Chrome.
References
|
| CVE-2015-5119 | Adobe Flash Player Use-After-Free Vulnerability | exploitation_technique | T1203 | Exploitation for Client Execution |
Comments
This vulnerability has been exploited in the wild by multiple different threat actors. Threat groups send phishing emails with URLs where maliciously-crafted javascript is hosted. This CVE has many mappable exploitation techniques and impacts.
These adversaries using this exploit to deliver malicious payloads to the target machines establish DLL backdoors.
References
|
| CVE-2021-29256 | Arm Mali GPU Kernel Driver Use-After-Free Vulnerability | exploitation_technique | T1203 | Exploitation for Client Execution |
Comments
This vulnerability is exploited by an unprivileged attacker by conducting malicious activity in GPU memory, gaining access to already freed memory. If successful, the threat actor could escalate their privileges to root as well as gain access to sensitive information. Detailed information about how adversaries exploit the GPU are not publicly available.
References
|
| CVE-2018-4939 | Adobe ColdFusion Deserialization of Untrusted Data Vulnerability | exploitation_technique | T1203 | Exploitation for Client Execution |
Comments
This deserialization vulnerability allows adversaries to insert their own objects into client software for potential execution.
References
|
| CVE-2024-26169 | Microsoft Windows Error Reporting Service Improper Privilege Management Vulnerability | exploitation_technique | T1203 | Exploitation for Client Execution |
Comments
This vulnerability is a zero-day exploit that "manipulates the Windows file werkernel.sys, which uses a null security descriptor when creating registry keys. Attackers create a registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe and set the "Debugger" value to the exploit's executable pathname. This allows the exploit to start a shell with administrative privileges." This vulnerability has been exploited by the Black Basta ransomware group.
References
|
| CVE-2021-27059 | Microsoft Office Remote Code Execution Vulnerability | exploitation_technique | T1203 | Exploitation for Client Execution |
Comments
The vulnerability allows a remote user to execute arbitrary code on the target system due to improper input validation in Microsoft Office.
References
|
| CVE-2023-23397 | Microsoft Office Outlook Privilege Escalation Vulnerability | exploitation_technique | T1203 | Exploitation for Client Execution |
Comments
This vulnerability is exploited when an adversary sends a specially-crafted email which can result in the disclosure of authentication information that an adversary can replay to gain access to systems.
References
|
| CVE-2022-20701 | Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability | primary_impact | T1203 | Exploitation for Client Execution |
Comments
This insufficient authorization vulnerability is exploited by a local attacker who has access to low-privileged code where they then execute commands within confd_cli at a higher privilege levels. Performing these commands could grant the local attacker root privileges.
References
|
| CVE-2022-20703 | Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability | exploitation_technique | T1203 | Exploitation for Client Execution |
Comments
This Digital Signature Verification Bypass vulnerability is exploited by an unauthenticated, local attacker. The attacker exploits an improper verification of software images that could allow the attacker to install and boot malicious images or execute unsigned binaries.
References
|
| CVE-2023-34048 | VMware vCenter Server Out-of-Bounds Write Vulnerability | primary_impact | T1203 | Exploitation for Client Execution |
Comments
This vulnerability is exploited by an adversary who has already gained network access to the vCenter Server. The adversary sends a crafted payload to the server that has a vulnerable DCERPC protocol and causes an out-of-bounds write on the jmp rax instruction. Adversary group UNC3886 has been attributed to leveraging this vulnerability in the wild to establish a backdoor in victim vCenter servers.
References
|
| CVE-2023-36844 | Juniper Junos OS EX Series PHP External Variable Modification Vulnerability | exploitation_technique | T1203 | Exploitation for Client Execution |
Comments
This vulnerability is exploited through a PHP External Variable Modification flaw in the J-Web component of Juniper Networks Junos OS on EX Series devices. Attackers first use this vulnerability to gain control over certain environment variables by sending a crafted request, which allows them to manipulate these variables without authentication.
References
|
| CVE-2023-49897 | FXC AE1021, AE1021PE OS Command Injection Vulnerability | exploitation_technique | T1203 | Exploitation for Client Execution |
Comments
CVE-2023-49897 is an OS command injection vulnerability affecting AE1021PE firmware. This vulnerability has been publicly reported to be leveraged during the InfectedSlurs campaign to install a Mirai malware variant with the intention of creating a distributed denial-of-service (DDoS) botnet with these infected devices.
References
|
| CVE-2023-47565 | QNAP VioStor NVR OS Command Injection Vulnerability | exploitation_technique | T1203 | Exploitation for Client Execution |
Comments
CVE-2023-47565 is an OS command injection vulnerability in QNAP VioStor network video recorder (NVR) devices. This vulnerability has been publicly reported to be leveraged during the InfectedSlurs campaign to install a Mirai malware variant with the intention of creating a distributed denial-of-service (DDoS) botnet with these infected devices.
References
|
| CVE-2021-39144 | XStream Remote Code Execution Vulnerability | primary_impact | T1203 | Exploitation for Client Execution |
Comments
The vulnerability allows a remote attacker to execute arbitrary code on the target system. It exists due to the deserialization of untrusted data in XStream versions up to 1.4.18. A remote attacker can exploit this by sending a specially crafted XStream marshalled payload to an endpoint in VMware NSX Manager, which uses the vulnerable xstream-1.4.18.jar package. Successful exploitation of this vulnerability may result in complete compromise of the vulnerable system, allowing execution of commands with root privileges.
References
|
| CVE-2022-41128 | Microsoft Windows Scripting Languages Remote Code Execution Vulnerability | primary_impact | T1203 | Exploitation for Client Execution |
Comments
This vulnerability is exploited by a remote adversary who entices a user with an affected version of Windows to access a malicious server. The adversary hosts a specially crafted server share or website and convinces the user to visit it, typically through an email or chat message. The adversary then crafts a malicious Microsoft Office document that embeds a remote RTF template, which fetches HTML content rendered by Internet Explorer's JScript engine. This stealthy attack vector does not require Internet Explorer as the default browser. Once the victim opens the document and disables protected view, the adversary executes arbitrary code by triggering a type confusion error in the JScript engine. This allows the adversary to deliver malicious payloads, conduct reconnaissance, and exfiltrate data, while erasing traces of the exploit by clearing the browser cache and history. The impact on the victim includes unauthorized access to sensitive information and the potential installation of backdoors for further exploitation.
References
|