T1203 Exploitation for Client Execution

Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.

Several types exist:

Browser-based Exploitation

Web browsers are a common target through Drive-by Compromise and Spearphishing Link. Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.

Office Applications

Common office and productivity applications such as Microsoft Office are also targeted through Phishing. Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.

Common Third-party Applications

Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
DE.AE-02.01 Event analysis and detection Mitigates T1203 Exploitation for Client Execution
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
    PR.PS-06.06 Vulnerability remediation Mitigates T1203 Exploitation for Client Execution
    Comments
    This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Ensuring software is up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities, reducing the risk of successful attacks.
    References
      PR.PS-06.05 Testing and validation strategy Mitigates T1203 Exploitation for Client Execution
      Comments
      This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of.
      References
        ID.RA-01.03 Vulnerability management Mitigates T1203 Exploitation for Client Execution
        Comments
        This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities.
        References
          PR.PS-05.02 Mobile code prevention Mitigates T1203 Exploitation for Client Execution
          Comments
          Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
          References
            PR.PS-01.09 Virtualized end point protection Mitigates T1203 Exploitation for Client Execution
            Comments
            The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies. Virtualization technologies provide a layer of isolation and containment to isolate and contain the impact of potential compromises. When it comes to this exploitation technique, consider making it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation.
            References

              NIST 800-53 Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              CA-07 Continuous Monitoring mitigates T1203 Exploitation for Client Execution
              SC-29 Heterogeneity mitigates T1203 Exploitation for Client Execution
              SC-30 Concealment and Misdirection mitigates T1203 Exploitation for Client Execution
              SC-18 Mobile Code mitigates T1203 Exploitation for Client Execution
              SC-44 Detonation Chambers mitigates T1203 Exploitation for Client Execution
              SC-02 Separation of System and User Functionality mitigates T1203 Exploitation for Client Execution
              SC-03 Security Function Isolation mitigates T1203 Exploitation for Client Execution
              SC-39 Process Isolation mitigates T1203 Exploitation for Client Execution
              SI-02 Flaw Remediation mitigates T1203 Exploitation for Client Execution
              CM-08 System Component Inventory mitigates T1203 Exploitation for Client Execution
              SI-03 Malicious Code Protection mitigates T1203 Exploitation for Client Execution
              SI-07 Software, Firmware, and Information Integrity mitigates T1203 Exploitation for Client Execution
              SI-04 System Monitoring mitigates T1203 Exploitation for Client Execution
              AC-04 Information Flow Enforcement mitigates T1203 Exploitation for Client Execution
              AC-06 Least Privilege mitigates T1203 Exploitation for Client Execution
              SC-07 Boundary Protection mitigates T1203 Exploitation for Client Execution

              Known Exploited Vulnerabilities Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              CVE-2023-21608 Adobe Acrobat and Reader Use-After-Free Vulnerability primary_impact T1203 Exploitation for Client Execution
              Comments
              This vulnerability is exploited by having a user open a maliciously-crafted pdf file, which can result in arbitrary code execution.
              References
              CVE-2021-37975 Google Chromium V8 Use-After-Free Vulnerability primary_impact T1203 Exploitation for Client Execution
              Comments
              CVE-2021-37975 allows an adversary to use JavaScript to exploit the Chromium browser V8 JavaScript engine which allows for a write into the heap.
              References
              CVE-2021-30554 Google Chromium WebGL Use-After-Free Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              Comments
              CVE-2021-30554 allows an adversary to use JavaScript to exploit WebGL component of the Chromium browser that allows for execution of arbitrary code.
              References
              CVE-2021-29256 Arm Mali GPU Kernel Driver Use-After-Free Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              Comments
              This vulnerability is exploited by an unprivileged attacker by conducting malicious activity in GPU memory, gaining access to already freed memory. If successful, the threat actor could escalate their privileges to root as well as gain access to sensitive information. Detailed information about how adversaries exploit the GPU are not publicly available.
              References
              CVE-2021-21206 Google Chromium Blink Use-After-Free Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              Comments
              CVE-2021-21206 allows an adversary to use JavaScript to exploit the Blink rendering engine of the Chromium Browser that allows for execution of arbitrary code.
              References
              CVE-2015-5119 Adobe Flash Player Use-After-Free Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              Comments
              This vulnerability has been exploited in the wild by multiple different threat actors. Threat groups send phishing emails with URLs where maliciously-crafted javascript is hosted. This CVE has many mappable exploitation techniques and impacts. These adversaries using this exploit to deliver malicious payloads to the target machines establish DLL backdoors.
              References
              CVE-2025-27038 Qualcomm Multiple Chipsets Use-After-Free Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              Comments
              Exploitation of this vulnerability would allow for an attacker to use client-side software (in this case, Chrome), to execute code on the system.
              References
              CVE-2024-5274 Google Chromium V8 Type Confusion Vulnerability primary_impact T1203 Exploitation for Client Execution
              Comments
              This vulnerability is exploited by the hosting of malicious content on a website. Adversaries use this to deliver an information-stealing payload within Chrome.
              References
              CVE-2025-6554 Google Chromium V8 Type Confusion Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              CVE-2025-30397 Microsoft Windows Scripting Engine Type Confusion Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              Comments
              This vulnerability has enabled attackers to use heap spraying techniques to trigger a memory corruption, allowing them to execute code remotely.
              References
              CVE-2025-31201 Apple Multiple Products Arbitrary Read and Write Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              Comments
              A strategic zero-click iMessage exploit chain (CVE-2025-31200 / 31201) has been reported as compromising targeted devices with Paragon's Graphite spyware. Observed impacts include Secure Enclave key exfiltration, silent wallet theft, C2 infrastructure, and persistent C2 communication.
              References
              CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              Comments
              This vulnerability allows attackers to escape Chrome’s sandbox through a Mojo IPC message crafted to trigger higher privilege. Exploitation has been reported as part of a cyber-espionage campaign.
              References
              CVE-2021-21166 Google Chromium Race Condition Vulnerability primary_impact T1203 Exploitation for Client Execution
              Comments
              CVE-2021-21166 allows an adversary to use JavaScript to exploit the Chromium browser via the audio object using a race condition to write into the heap.
              References
              CVE-2023-23397 Microsoft Office Outlook Privilege Escalation Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              Comments
              This vulnerability is exploited when an adversary sends a specially-crafted email which can result in the disclosure of authentication information that an adversary can replay to gain access to systems.
              References
              CVE-2023-36844 Juniper Junos OS EX Series PHP External Variable Modification Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              Comments
              This vulnerability is exploited through a PHP External Variable Modification flaw in the J-Web component of Juniper Networks Junos OS on EX Series devices. Attackers first use this vulnerability to gain control over certain environment variables by sending a crafted request, which allows them to manipulate these variables without authentication.
              References
              CVE-2024-45195 Apache OFBiz Forced Browsing Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              Comments
              Insufficient authorization checks in affected Apache OFBiz versions (before 18.12.16) allow an attacker running their own server to send POST requests that instruct the OFBiz server to fetch malicious files from the attacker's server. The attacker can then send another request that triggers the malicious files to run arbitrary code.
              References
              CVE-2022-23748 Dante Discovery Process Control Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              Comments
              An attacker with local access can exploit a DLL sideloading vulnerability by tricking mDNSResponder.exe into loading a malicious DLL, facilitating arbitrary code execution.
              References
              CVE-2025-31200 Apple Multiple Products Memory Corruption Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              Comments
              A strategic zero-click iMessage exploit chain (CVE-2025-31200 / 31201) has been reported as compromising targeted devices with Paragon's Graphite spyware. Observed impacts include Secure Enclave key exfiltration, silent wallet theft, C2 infrastructure, and persistent C2 communication.
              References
              CVE-2024-26169 Microsoft Windows Error Reporting Service Improper Privilege Management Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              Comments
              This vulnerability is a zero-day exploit that "manipulates the Windows file werkernel.sys, which uses a null security descriptor when creating registry keys. Attackers create a registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe and set the "Debugger" value to the exploit's executable pathname. This allows the exploit to start a shell with administrative privileges." This vulnerability has been exploited by the Black Basta ransomware group.
              References
              CVE-2023-49897 FXC AE1021, AE1021PE OS Command Injection Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              Comments
              CVE-2023-49897 is an OS command injection vulnerability affecting AE1021PE firmware. This vulnerability has been publicly reported to be leveraged during the InfectedSlurs campaign to install a Mirai malware variant with the intention of creating a distributed denial-of-service (DDoS) botnet with these infected devices.
              References
              CVE-2023-47565 QNAP VioStor NVR OS Command Injection Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              Comments
              CVE-2023-47565 is an OS command injection vulnerability in QNAP VioStor network video recorder (NVR) devices. This vulnerability has been publicly reported to be leveraged during the InfectedSlurs campaign to install a Mirai malware variant with the intention of creating a distributed denial-of-service (DDoS) botnet with these infected devices.
              References
              CVE-2024-11120 GeoVision Devices OS Command Injection Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              Comments
              Specific end-of-life GeoVision IoT devices contain an insufficient input validation vulnerability that allows for unauthenticated attackers to inject arbitrary commands and execute them on the system.
              References
              CVE-2022-20703 Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              Comments
              This Digital Signature Verification Bypass vulnerability is exploited by an unauthenticated, local attacker. The attacker exploits an improper verification of software images that could allow the attacker to install and boot malicious images or execute unsigned binaries.
              References
              CVE-2022-20701 Cisco Small Business RV Series Routers Stack-based Buffer Overflow Vulnerability primary_impact T1203 Exploitation for Client Execution
              Comments
              This insufficient authorization vulnerability is exploited by a local attacker who has access to low-privileged code where they then execute commands within confd_cli at a higher privilege levels. Performing these commands could grant the local attacker root privileges.
              References
              CVE-2021-21148 Google Chromium V8 Heap Buffer Overflow Vulnerability primary_impact T1203 Exploitation for Client Execution
              Comments
              CVE-2021-21148 allows an adversary to use JavaScript to exploit the Chromium browser V8 JavaScript engine which allows for a write into the heap.
              References
              CVE-2025-24993 Microsoft Windows NTFS Heap-Based Buffer Overflow Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              Comments
              This heap-based buffer overflow vulnerability in Windows NTFS allows an attacker to elevate to SYSTEM-level privileges. This vulnerability can be exploited via malicious virtual hard disk (VHD) files that can be mounted by a system user, leading to code execution.
              References
              CVE-2025-6543 Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              Comments
              An unprivileged attacker can leverage this buffer overflow vulnerability, leading to a denial of service attack. No public exploits of this vulnerability exist, and information from Citrix is limited.
              References
              CVE-2022-41128 Microsoft Windows Scripting Languages Remote Code Execution Vulnerability primary_impact T1203 Exploitation for Client Execution
              Comments
              This vulnerability is exploited by a remote adversary who entices a user with an affected version of Windows to access a malicious server. The adversary hosts a specially crafted server share or website and convinces the user to visit it, typically through an email or chat message. The adversary then crafts a malicious Microsoft Office document that embeds a remote RTF template, which fetches HTML content rendered by Internet Explorer's JScript engine. This stealthy attack vector does not require Internet Explorer as the default browser. Once the victim opens the document and disables protected view, the adversary executes arbitrary code by triggering a type confusion error in the JScript engine. This allows the adversary to deliver malicious payloads, conduct reconnaissance, and exfiltrate data, while erasing traces of the exploit by clearing the browser cache and history. The impact on the victim includes unauthorized access to sensitive information and the potential installation of backdoors for further exploitation.
              References
              CVE-2021-39144 XStream Remote Code Execution Vulnerability primary_impact T1203 Exploitation for Client Execution
              Comments
              The vulnerability allows a remote attacker to execute arbitrary code on the target system. It exists due to the deserialization of untrusted data in XStream versions up to 1.4.18. A remote attacker can exploit this by sending a specially crafted XStream marshalled payload to an endpoint in VMware NSX Manager, which uses the vulnerable xstream-1.4.18.jar package. Successful exploitation of this vulnerability may result in complete compromise of the vulnerable system, allowing execution of commands with root privileges.
              References
              CVE-2021-27059 Microsoft Office Remote Code Execution Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              Comments
              The vulnerability allows a remote user to execute arbitrary code on the target system due to improper input validation in Microsoft Office.
              References
              CVE-2025-6558 Google Chromium ANGLE and GPU Improper Input Validation Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              CVE-2023-34048 VMware vCenter Server Out-of-Bounds Write Vulnerability primary_impact T1203 Exploitation for Client Execution
              Comments
              This vulnerability is exploited by an adversary who has already gained network access to the vCenter Server. The adversary sends a crafted payload to the server that has a vulnerable DCERPC protocol and causes an out-of-bounds write on the jmp rax instruction. Adversary group UNC3886 has been attributed to leveraging this vulnerability in the wild to establish a backdoor in victim vCenter servers.
              References
              CVE-2023-26369 Adobe Acrobat and Reader Out-of-Bounds Write Vulnerability primary_impact T1203 Exploitation for Client Execution
              CVE-2025-43200 Apple Multiple Products Unspecified Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              Comments
              A zero-click attack leveraging this vulnerability involves sending a maliciously crafted photo or video in an iCloud link via the Messages app. Reports indicate that the targeted devices are then compromised with Paragon's Graphite spyware.
              References
              CVE-2025-5419 Google Chromium V8 Out-of-Bounds Read and Write Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              Comments
              Victims are tricked into visiting malicious web pages crafted to trigger exploitation of this vulnerability, leading to undefined behavior.
              References
              CVE-2025-4427 Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              Comments
              By sending a specially crafted HTTP GET request to the Ivanti EPMM endpoint, an attacker can bypass the authentication mechanisms. This can be chained with CVE-2025-4428 to achieve remote code execution.
              References
              CVE-2025-3935 ConnectWise ScreenConnect Improper Authentication Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              Comments
              By exploiting this vulnerability, which stems from ASP.NET and its use of ViewState, an attacker with privileged access can gain access to sensitive data, such as machine keys. By using these machine keys, the attacker can craft malicious ViewState payloads to execute remote code on the ScreenConnect server.
              References
              CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              Comments
              Attackers can use Server-Side Template Injection with a Thymeleaf template to inject malicious code.. When chained with CVE-2022-43939, can lead to unauthorized code execution.
              References
              CVE-2018-4939 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              Comments
              This deserialization vulnerability allows adversaries to insert their own objects into client software for potential execution.
              References
              CVE-2025-24016 Wazuh Server Deserialization of Untrusted Data Vulnerability secondary_impact T1203 Exploitation for Client Execution
              Comments
              Attackers with API access have been reported as exploiting this vulnerability through a JSON payload sent to a Wazuh worker server. Requests relayed to the master server can result in arbitrary code execution.
              References
              CVE-2025-42999 SAP NetWeaver Deserialization Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              Comments
              This deserialization vulnerability in NetWeaver Visual Composer, when chained with CVE-2025-31324, allows an attacker to execute unauthenticated remote code with administrator privileges, leading to consequences such as web shell deployment.
              References
              CVE-2025-3248 Langflow Missing Authentication Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              Comments
              Unauthenticated attackers have exploited this missing authentication vulnerability by sending crafted HTTP requests, allowing them to execute arbitrary code on the target Langflow server.
              References
              CVE-2025-30406 Gladinet CentreStack and Triofox Use of Hard-coded Cryptographic Key Vulnerability exploitation_technique T1203 Exploitation for Client Execution
              Comments
              This vulnerability has been exploited to give threat actors with knowledge of the CentreStack portal's machineKey the ability to craft malicious payloads for remote code execution.
              References

              Azure Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              alerts_for_windows_machines Alerts for Windows Machines technique_scores T1203 Exploitation for Client Execution
              Comments
              This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
              References
              azure_policy Azure Policy technique_scores T1203 Exploitation for Client Execution
              Comments
              This control may provide recommendations for vulnerability assessment and outdated applications and cloud services. This control covers a wide range of Azure cloud services to help reduce the surface area for exploitation.
              References
              azure_update_manager Azure Update Manager technique_scores T1203 Exploitation for Client Execution
              Comments
              This control provides significant coverage for Exploitation for client execution methods that leverage unpatched vulnerabilities since it enables automated updates of software and rapid configuration change management.
              References
              defender_for_app_service Microsoft Defender for Cloud: Defender for App Service technique_scores T1203 Exploitation for Client Execution
              Comments
              This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate.
              References
              vulnerability_management Microsoft Defender for Cloud: Vulnerability Management technique_scores T1203 Exploitation for Client Execution
              Comments
              Once this control is deployed, it can detect known vulnerabilities in Windows and various Linux endpoints. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and it is not effective against zero day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
              References

              GCP Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              artifact_analysis Artifact Analysis technique_scores T1203 Exploitation for Client Execution
              Comments
              Artifact Analysis performs vulnerability scans on artifacts in Artifact Registry or Container Registry (deprecated). When Artifact Analysis is deployed, it can detect known vulnerabilities in various Linux OS packages. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and is not effective against zero day attacks, vulnerabilities with no available patch, and other end-of-life packages.
              References
              google_secops Google Security Operations technique_scores T1203 Exploitation for Client Execution
              Comments
              Google Security Ops is able to trigger an alert based on Antivirus notifications that report an exploitation framework (e.g., Metapreter, Metasploit, Powersploit). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/detect_service_creation_by_metasploit_on_victim_machine.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/proxy/exploit_framework_user_agent.yaral
              References
              vm_manager VM Manager technique_scores T1203 Exploitation for Client Execution
              Comments
              VM Manager can apply on-demand and scheduled patches via automated patch deployment. This can remediate OS and software vulnerabilities that could otherwise be exploited. Since VM Manager doesn't directly prevent exploitation of active vulnerabilities (including zero day vulnerabilities) this control has resulted in a score of Partial.
              References

              AWS Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              amazon_inspector Amazon Inspector technique_scores T1203 Exploitation for Client Execution
              Comments
              Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess security controls for "Enable Address Space Layout Randomization (ASLR)" and "Enable Data Execution Prevention (DEP)" that makes it more difficult for an attacker to exploit vulnerabilities in software. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
              References
              aws_config AWS Config technique_scores T1203 Exploitation for Client Execution
              Comments
              The "ec2-managedinstance-applications-blacklisted" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances. It can be used to identify the presence of vulnerable applications (prompting removal before they can be exploited) and/or to identify the presence of allowed packages below a minimum version (prompting updates before they can be exploited). The "ec2-managedinstance-platform-check" managed rule verifies that managed instances are running desired platform types, including using a desired version (as opposed to an out-of-date one). Both can reduce instances' attack surface for adversary exploitation, including for client execution. All of these are run on configuration changes. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect against certain forms of identifiable exploitation, resulting in an overall score of Partial.
              References
              aws_security_hub AWS Security Hub technique_scores T1203 Exploitation for Client Execution
              Comments
              AWS Security Hub reports on EC2 instances that are missing security patches for vulnerabilities which could enable an adversary to exploit vulnerabilities through the attack lifecycle. AWS Security Hub provides this detection with the following managed insight. EC2 instances that have missing security patches for important vulnerabilities This is scored as Partial because the checks associated with Security Hub would only report on missing patches for known vulnerabilities. It doesn't not cover zero-day vulnerabilities.
              References
              aws_web_application_firewall AWS Web Application Firewall technique_scores T1203 Exploitation for Client Execution
              Comments
              AWS WAF protects against exploitation for client execution (browser-based exploitation) by blocking malicious traffic that contains cross-site scripting patterns with the following rule set. AWSManagedRulesCommonRuleSet This is scored as Significant because the rule set is broadly applicable to web applications and blocks the malicious traffic in near real-time.
              References