1. Home
  2. ATT&CK Techniques
  3. T1203 Exploitation for Client Execution

T1203 Exploitation for Client Execution Mappings

Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.

Several types exist:

Browser-based Exploitation

Web browsers are a common target through Drive-by Compromise and Spearphishing Link. Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.

Office Applications

Common office and productivity applications such as Microsoft Office are also targeted through Phishing. Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.

Common Third-party Applications

Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-4 Information Flow Enforcement Protects T1203 Exploitation for Client Execution
AC-6 Least Privilege Protects T1203 Exploitation for Client Execution
CA-7 Continuous Monitoring Protects T1203 Exploitation for Client Execution
CM-8 System Component Inventory Protects T1203 Exploitation for Client Execution
SC-18 Mobile Code Protects T1203 Exploitation for Client Execution
SC-2 Separation of System and User Functionality Protects T1203 Exploitation for Client Execution
SC-29 Heterogeneity Protects T1203 Exploitation for Client Execution
SC-3 Security Function Isolation Protects T1203 Exploitation for Client Execution
SC-30 Concealment and Misdirection Protects T1203 Exploitation for Client Execution
SC-39 Process Isolation Protects T1203 Exploitation for Client Execution
SC-7 Boundary Protection Protects T1203 Exploitation for Client Execution
SI-3 Malicious Code Protection Protects T1203 Exploitation for Client Execution
SI-4 System Monitoring Protects T1203 Exploitation for Client Execution
SI-7 Software, Firmware, and Information Integrity Protects T1203 Exploitation for Client Execution
CVE-2018-17934 NUUO CMS secondary_impact T1203 Exploitation for Client Execution
CVE-2018-5454 Philips IntelliSpace Portal primary_impact T1203 Exploitation for Client Execution
CVE-2019-1106 Microsoft Edge exploitation_technique T1203 Exploitation for Client Execution
CVE-2019-1035 Microsoft Office exploitation_technique T1203 Exploitation for Client Execution
CVE-2019-0926 Microsoft Edge exploitation_technique T1203 Exploitation for Client Execution
CVE-2019-1052 Microsoft Edge exploitation_technique T1203 Exploitation for Client Execution
CVE-2013-0707 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2020-7456 FreeBSD uncategorized T1203 Exploitation for Client Execution
CVE-2020-12464 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2012-5958 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2016-5180 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2020-6418 Chrome uncategorized T1203 Exploitation for Client Execution
CVE-2020-5902 BIG-IP uncategorized T1203 Exploitation for Client Execution
CVE-2019-7286 iOS uncategorized T1203 Exploitation for Client Execution
CVE-2019-18935 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2019-17026 Firefox ESR uncategorized T1203 Exploitation for Client Execution
CVE-2019-13720 Chrome uncategorized T1203 Exploitation for Client Execution
CVE-2019-11886 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2018-9206 Blueimp jQuery-File-Upload uncategorized T1203 Exploitation for Client Execution
CVE-2018-8174 Windows 7 uncategorized T1203 Exploitation for Client Execution
CVE-2018-8120 Windows Server 2008 uncategorized T1203 Exploitation for Client Execution
CVE-2018-0798 Equation Editor uncategorized T1203 Exploitation for Client Execution
CVE-2016-4656 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2016-1409 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2015-2590 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2015-2425 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2014-2817 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2014-0324 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2014-0307 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2013-5211 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2013-2471 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2013-1493 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2013-0625 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2013-0422 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2011-3402 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2010-1423 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2010-1165 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2009-1862 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2009-1807 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2009-1151 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2015-1641 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2020-11901 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2016-7256 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2016-3714 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2015-0071 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2014-4123 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2014-0266 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2010-1885 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2009-3459 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2020-13125 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2014-7187 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2011-3544 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2016-0034 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2015-7756 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2015-2426 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2020-13126 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2017-10271 WebLogic Server uncategorized T1203 Exploitation for Client Execution
CVE-2016-6909 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2014-6278 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2010-5326 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2009-3041 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2020-11897 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2020-11896 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2019-9019 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2013-3893 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2020-9818 iOS uncategorized T1203 Exploitation for Client Execution
CVE-2020-1631 Junos OS uncategorized T1203 Exploitation for Client Execution
CVE-2020-1350 Windows Server uncategorized T1203 Exploitation for Client Execution
CVE-2020-0938 Windows uncategorized T1203 Exploitation for Client Execution
CVE-2019-9791 Thunderbird uncategorized T1203 Exploitation for Client Execution
CVE-2019-1579 Palo Alto Networks GlobalProtect Portal/Gateway Interface uncategorized T1203 Exploitation for Client Execution
CVE-2019-11932 android-gif-drawable uncategorized T1203 Exploitation for Client Execution
CVE-2019-0903 Windows uncategorized T1203 Exploitation for Client Execution
CVE-2019-0803 Windows uncategorized T1203 Exploitation for Client Execution
CVE-2018-8833 Advantech WebAccess HMI Designer uncategorized T1203 Exploitation for Client Execution
CVE-2018-8589 Windows Server 2008 uncategorized T1203 Exploitation for Client Execution
CVE-2018-7513 Omron CX-Supervisor uncategorized T1203 Exploitation for Client Execution
CVE-2018-20838 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2018-18956 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2018-10376 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2017-5613 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2017-2404 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2017-12824 InPage reader uncategorized T1203 Exploitation for Client Execution
CVE-2016-9299 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2016-2208 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2015-3864 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2014-7169 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2014-5334 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2014-0593 obs-service-set_version uncategorized T1203 Exploitation for Client Execution
CVE-2013-3897 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2013-3163 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2012-2311 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2012-1856 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2011-3192 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2011-2005 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2010-4398 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2010-2568 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2010-2152 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2010-1297 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2010-0842 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2010-0480 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2009-1800 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2009-1671 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2009-0824 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2008-2992 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2017-5638 Apache Struts uncategorized T1203 Exploitation for Client Execution
CVE-2015-1494 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2020-6819 Thunderbird uncategorized T1203 Exploitation for Client Execution
CVE-2020-10257 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2017-15919 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2017-0222 Internet Explorer uncategorized T1203 Exploitation for Client Execution
CVE-2017-0149 Internet Explorer uncategorized T1203 Exploitation for Client Execution
CVE-2016-9079 Firefox uncategorized T1203 Exploitation for Client Execution
CVE-2016-7189 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2016-3393 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2015-5123 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2015-2502 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2015-2419 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2014-6332 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2014-1815 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2013-2465 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2013-2423 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2012-3213 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2010-3971 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2009-1136 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2014-1776 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2013-3918 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2020-2883 WebLogic Server uncategorized T1203 Exploitation for Client Execution
CVE-2020-0601 Windows uncategorized T1203 Exploitation for Client Execution
CVE-2019-10149 exim uncategorized T1203 Exploitation for Client Execution
CVE-2018-20062 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2016-6366 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2019-3396 Confluence Server uncategorized T1203 Exploitation for Client Execution
CVE-2018-20250 WinRAR uncategorized T1203 Exploitation for Client Execution
CVE-2017-8464 Windows Shell uncategorized T1203 Exploitation for Client Execution
CVE-2017-11882 Microsoft Office uncategorized T1203 Exploitation for Client Execution
CVE-2017-11826 Microsoft Office uncategorized T1203 Exploitation for Client Execution
CVE-2017-0261 Microsoft Office uncategorized T1203 Exploitation for Client Execution
CVE-2015-6585 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2015-1642 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2015-0096 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2014-7247 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2014-6352 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2013-1331 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2010-1424 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2010-0840 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2009-4324 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2009-0556 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2019-13510 Rockwell Automation Arena Simulation Software versions 16.00.00 and earlier uncategorized T1203 Exploitation for Client Execution
CVE-2019-13541 Horner Automation Cscape uncategorized T1203 Exploitation for Client Execution
CVE-2019-13527 Rockwell Automation Arena Simulation Software Cat. 9502-Ax, Versions 16.00.00 and earlier uncategorized T1203 Exploitation for Client Execution
CVE-2017-8570 Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, and Microsoft Office 2016. uncategorized T1203 Exploitation for Client Execution
CVE-2017-0262 Microsoft Office uncategorized T1203 Exploitation for Client Execution
CVE-2016-7193 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2015-2509 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2014-0810 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2013-3644 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2010-3915 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2010-3333 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2010-2862 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2010-0028 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2009-3129 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2009-0927 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2019-9081 uncategorized T1203 Exploitation for Client Execution
CVE-2020-1020 Windows uncategorized T1203 Exploitation for Client Execution
CVE-2017-8759 Microsoft .NET Framework uncategorized T1203 Exploitation for Client Execution
CVE-2017-11847 Windows kernel uncategorized T1203 Exploitation for Client Execution
CVE-2013-3906 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2012-6467 n/a uncategorized T1203 Exploitation for Client Execution
CVE-2019-6340 Drupal Core uncategorized T1203 Exploitation for Client Execution
CVE-2019-10980 LCDS LAquis SCADA uncategorized T1203 Exploitation for Client Execution
action.hacking.variety.Buffer overflow Buffer overflow. Child of 'Exploit vuln'. related-to T1203 Exploitation for Client Execution
action.hacking.variety.HTTP Response Splitting HTTP Response Splitting. Child of 'Exploit vuln'. related-to T1203 Exploitation for Client Execution
action.hacking.variety.HTTP request smuggling HTTP request smuggling. Child of 'Exploit vuln'. related-to T1203 Exploitation for Client Execution
action.hacking.variety.HTTP request splitting HTTP request splitting. Child of 'Exploit vuln'. related-to T1203 Exploitation for Client Execution
action.hacking.variety.HTTP response smuggling HTTP response smuggling. Child of 'Exploit vuln'. related-to T1203 Exploitation for Client Execution
action.malware.variety.Client-side attack Client-side or browser attack (e.g., redirection, XSS, MitB) related-to T1203 Exploitation for Client Execution
action.malware.vector.Email attachment Email via user-executed attachment. Child of 'Email' related-to T1203 Exploitation for Client Execution
aws_config AWS Config technique_scores T1203 Exploitation for Client Execution
Comments
The "ec2-managedinstance-applications-blacklisted" managed rule verifies that a pre-defined list of applications are not installed on specified managed instances. It can be used to identify the presence of vulnerable applications (prompting removal before they can be exploited) and/or to identify the presence of allowed packages below a minimum version (prompting updates before they can be exploited). The "ec2-managedinstance-platform-check" managed rule verifies that managed instances are running desired platform types, including using a desired version (as opposed to an out-of-date one). Both can reduce instances' attack surface for adversary exploitation, including for client execution. All of these are run on configuration changes. Coverage factor is partial for these rules, since they are specific to a subset of the available AWS services and will only protect against certain forms of identifiable exploitation, resulting in an overall score of Partial.
References
  1. https://docs.aws.amazon.com/config
  2. https://docs.aws.amazon.com/config/latest/developerguide
  3. https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html
amazon_inspector Amazon Inspector technique_scores T1203 Exploitation for Client Execution
Comments
Amazon Inspector can detect known vulnerabilities on various Windows and Linux endpoints. Furthermore, the Amazon Inspector Best Practices assessment package can assess security controls for "Enable Address Space Layout Randomization (ASLR)" and "Enable Data Execution Prevention (DEP)" that makes it more difficult for an attacker to exploit vulnerabilities in software. This information can be used to patch, isolate, and remove vulnerable software and endpoints. Amazon Inspector does not directly protect against exploitation and it is not effective against zero-day attacks, vulnerabilities with no available patch, and software that may not be analyzed by the scanner. As a result, the score is capped at Partial.
References
  1. https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html
aws_web_application_firewall AWS Web Application Firewall technique_scores T1203 Exploitation for Client Execution
Comments
AWS WAF protects against exploitation for client execution (browser-based exploitation) by blocking malicious traffic that contains cross-site scripting patterns with the following rule set. AWSManagedRulesCommonRuleSet This is scored as Significant because the rule set is broadly applicable to web applications and blocks the malicious traffic in near real-time.
References
  1. https://aws.amazon.com/waf/
  2. https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html
  3. https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html
  4. https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html
aws_security_hub AWS Security Hub technique_scores T1203 Exploitation for Client Execution
Comments
AWS Security Hub reports on EC2 instances that are missing security patches for vulnerabilities which could enable an adversary to exploit vulnerabilities through the attack lifecycle. AWS Security Hub provides this detection with the following managed insight. EC2 instances that have missing security patches for important vulnerabilities This is scored as Partial because the checks associated with Security Hub would only report on missing patches for known vulnerabilities. It doesn't not cover zero-day vulnerabilities.
References
  1. https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html