Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Several types exist:
Web browsers are a common target through Drive-by Compromise and Spearphishing Link. Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.
Common office and productivity applications such as Microsoft Office are also targeted through Phishing. Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.
Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-4 | Information Flow Enforcement | Protects | T1203 | Exploitation for Client Execution | |
| AC-6 | Least Privilege | Protects | T1203 | Exploitation for Client Execution | |
| CA-7 | Continuous Monitoring | Protects | T1203 | Exploitation for Client Execution | |
| CM-8 | System Component Inventory | Protects | T1203 | Exploitation for Client Execution | |
| SC-18 | Mobile Code | Protects | T1203 | Exploitation for Client Execution | |
| SC-2 | Separation of System and User Functionality | Protects | T1203 | Exploitation for Client Execution | |
| SC-29 | Heterogeneity | Protects | T1203 | Exploitation for Client Execution | |
| SC-3 | Security Function Isolation | Protects | T1203 | Exploitation for Client Execution | |
| SC-30 | Concealment and Misdirection | Protects | T1203 | Exploitation for Client Execution | |
| SC-39 | Process Isolation | Protects | T1203 | Exploitation for Client Execution | |
| SC-7 | Boundary Protection | Protects | T1203 | Exploitation for Client Execution | |
| SI-3 | Malicious Code Protection | Protects | T1203 | Exploitation for Client Execution | |
| SI-4 | System Monitoring | Protects | T1203 | Exploitation for Client Execution | |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1203 | Exploitation for Client Execution | |
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1203 | Exploitation for Client Execution |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate. The following alerts may be generated: "Fileless attack technique detected", "Fileless attack behavior detected", "Fileless attack toolkit detected", "Suspicious SVCHOST process executed".
References
|
| azure_automation_update_management | Azure Automation Update Management | technique_scores | T1203 | Exploitation for Client Execution |
Comments
This control provides significant coverage for Exploitation for client execution methods that leverage unpatched vulnerabilities since it enables automated updates of software and rapid configuration change management.
References
|
| azure_policy | Azure Policy | technique_scores | T1203 | Exploitation for Client Execution |
Comments
This control may provide recommendations for vulnerability assessment and outdated applications and cloud services. This control covers a wide range of Azure cloud services to help reduce the surface area for exploitation.
References
|
| azure_defender_for_app_service | Azure Defender for App Service | technique_scores | T1203 | Exploitation for Client Execution |
Comments
This control's Fileless Attack Detection identifies shellcode executing within process memory, including shellcode executed as a payload in the exploitation of a software vulnerability. Detection is periodic at an unknown rate.
References
|
| integrated_vulnerability_scanner_powered_by_qualys | Integrated Vulnerability Scanner Powered by Qualys | technique_scores | T1203 | Exploitation for Client Execution |
Comments
Once this control is deployed, it can detect known vulnerabilities in Windows and various Linux endpoints. This information can be used to patch, isolate, or remove vulnerable software and machines. This control does not directly protect against exploitation and it is not effective against zero day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
|