MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1203: Exploitation for Client Execution

Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.

Several types exist:

Browser-based Exploitation

Web browsers are a common target through Drive-by Compromise and Spearphishing Link. Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.

Office Applications

Common office and productivity applications such as Microsoft Office are also targeted through Phishing. Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.

Common Third-party Applications

Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

vulnerabilities: PT-CR-1375: Windows_Contacts_RCE: Possible exploitation of vulnerability CVE-2022-44666 in Windows Contacts
mitre_attck_execution: PT-CR-20: Suspicious_process_execution_sequence: A suspicious sequence of running processes on a Windows host has been detected
vulnerabilities: PT-CR-2314: CVE_2024_21378_Outlook_RCE: Exploitation of vulnerability CVE-2024-21378 in Outlook. The vulnerability allows code execution using Outlook forms.
unix_mitre_attck_execution: PT-CR-2283: Unix_Suspicious_Process_Execution_Sequence: Suspicious sequence of processes on a Linux host
vulnerabilities: PT-CR-2492: CVE_2024_29510_Ghostscript: Possible code execution using the CVE-2024-29510 vulnerability. It is a format string vulnerability in Ghostscript versions before 10.03.1 that allows you to bypass the sandbox and execute arbitrary commands. This vulnerability can be used via libraries such as ImageMagick.
vulnerabilities: PT-CR-680: CVE_2022_26500_26501_exploitation: Vulnerabilities CVE-2022-26500 and CVE-2022-26501 were exploited
vulnerabilities: PT-CR-779: MSDT_CVE_2022_30190: The ms-msdt protocol was used to exploit vulnerability CVE-2022-30190 (Follina) in Microsoft Support Diagnostic Tool (MSDT)
vulnerabilities: PT-CR-892: Possible_CVE_2021_1647: Possible exploitation of vulnerability CVE-2021-1647 in Windows Defender
mitre_attck_persistence: PT-CR-665: KeePass_Persistence: KeePass has started a suspicious child process. The start of such a process indicates an attacker's attempt to gain a foothold in the system

Detection

IDDS0015Data source and componentApplication Log: Application Log ContentDescription

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for abnormal process creations, such as a Command and Scripting Interpreter spawning from a potentially exploited application. Also look for other behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of browser or Office processes.

Example, it is not expected behavior for print spool service to be executing discovery type processes. However, this is one example and could be any number of native or third party processes that are executing either unusual or unknown (potentially adversary brought) processes.

Note:

  • Analytic 1, look for instances where Office Applications (e.g., Word, Excel, PowerPoint) are launched with suspicious parameters or from unusual locations
  • Analytic 2, look for abnormal child process creation by Office Applications especially when accompanied by suspicious command-line parameters

Analytic 1 - Office Application Process Execution

(source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND (Image= “\winword.exe” OR Image= “\excel.exe” OR Image= “\powerpnt.exe”) AND (CommandLine= “macro” OR CommandLine= “automation” OR CommandLine= “shellcode”) AND ParentCommandLine= “open

Analytic 2 - Unusual Child Process Creation

(source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND (ParentImage= “\winword.exe” OR ParentImage= “\excel.exe” OR ParentImage= “\powerpnt.exe”) AND (Image != “\system32\” OR Image != “\program files”)

Mitigation

IDM1050NameExploit ProtectionDescription

Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. Many of these protections depend on the architecture and target application binary for compatibility.

IDM1048NameApplication Isolation and SandboxingDescription

Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist.

Other types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. Risks of additional exploits and weaknesses in those systems may still exist.