EXPLORE
Sign In
← Back to Explore
T1203

Exploitation for Client Execution

Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain ...

LinuxmacOSWindows
71
Detections
4
Sources
41
Threat Actors

BY SOURCE

26elastic17sigma17sublime11splunk_escu

PROCEDURES (42)

General Monitoring11 detections

Auto-extracted: 11 detections for general monitoring

Phish3 detections

Auto-extracted: 3 detections for phish

Lateral3 detections

Auto-extracted: 3 detections for lateral

Attachment3 detections

Auto-extracted: 3 detections for attachment

Script Execution Monitoring3 detections

Auto-extracted: 3 detections for script execution monitoring

Child Process3 detections

Auto-extracted: 3 detections for child process

Remote2 detections

Auto-extracted: 2 detections for remote

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Download2 detections

Auto-extracted: 2 detections for download

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Aws2 detections

Auto-extracted: 2 detections for aws

Service2 detections

Auto-extracted: 2 detections for service

Child Process2 detections

Auto-extracted: 2 detections for child process

Azure2 detections

Auto-extracted: 2 detections for azure

Download2 detections

Auto-extracted: 2 detections for download

Dns1 detections

Auto-extracted: 1 detections for dns

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Inject1 detections

Auto-extracted: 1 detections for inject

Child Process1 detections

Auto-extracted: 1 detections for child process

Download1 detections

Auto-extracted: 1 detections for download

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Privilege1 detections

Auto-extracted: 1 detections for privilege

Macro1 detections

Auto-extracted: 1 detections for macro

Child Process1 detections

Auto-extracted: 1 detections for child process

Macro1 detections

Auto-extracted: 1 detections for macro

Office1 detections

Auto-extracted: 1 detections for office

Unusual1 detections

Auto-extracted: 1 detections for unusual

Service1 detections

Auto-extracted: 1 detections for service

Office1 detections

Auto-extracted: 1 detections for office

Aws1 detections

Auto-extracted: 1 detections for aws

Bypass1 detections

Auto-extracted: 1 detections for bypass

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Office1 detections

Auto-extracted: 1 detections for office

Email1 detections

Auto-extracted: 1 detections for email

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Email Security1 detections

Auto-extracted: 1 detections for email security

Attachment1 detections

Auto-extracted: 1 detections for attachment

Command Line Monitoring1 detections

Auto-extracted: 1 detections for command line monitoring

Child Process1 detections

Auto-extracted: 1 detections for child process

Email1 detections

Auto-extracted: 1 detections for email

Remote1 detections

Auto-extracted: 1 detections for remote

THREAT ACTORS (41)

admin@338AndarielAoqin DragonAPT12APT28APT29APT3APT32APT33APT37APT41AxiomBITTERBlackTechBRONZE BUTLERCobalt GroupConfuciusDarkhotelDragonflyElderwoodEmber BearEXOTIC LILYHigaisaInceptionLazarus GroupLeviathanMuddyWaterMustang PandaOilRigPatchworkSaint BearSandworm TeamSea TurtleSidewinderTA459The White CompanyThreat Group-3390Tonto TeamTransparent TribeTropic TrooperUNC3886

DETECTIONS (71)

Anomalous Windows Process Creation
elasticlow
Anthropic Magic String in HTML
sublimelow
Antivirus Exploitation Framework Detection
sigmacritical
Attachment: Archive containing HTML file with file scheme link
sublimehigh
Attachment: Archive contains DLL-loading macro
sublimehigh
Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability
sublimecritical
Attachment: CVE-2023-21716 - Microsoft Office Remote Code Execution Vulnerability
sublimehigh
Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability
sublimecritical
Attachment: LNK with embedded content
sublimehigh
Attachment: WinRAR CVE-2025-8088 exploitation
sublimehigh
Attachment: ZIP file with CVE-2026-0866 exploit
sublimemedium
Audit CVE Event
sigmacritical
Callback Phishing via Signable E-Signature Request
sublimehigh
Callback phishing via SignFree e-signature request
sublimehigh
Callback phishing via Xodo Sign comment
sublimehigh
Cisco Secure Firewall - Binary File Type Download
splunk_escu
Cisco Secure Firewall - Blocked Connection
splunk_escu
Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt
splunk_escu
Cisco Secure Firewall - High Priority Intrusion Classification
splunk_escu
Cisco Secure Firewall - Malware File Downloaded
splunk_escu
Cisco Secure Firewall - Possibly Compromised Host
splunk_escu
Cisco Secure Firewall - Repeated Blocked Connections
splunk_escu
Cupsd or Foomatic-rip Shell Execution
elastichigh
CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG
sublimecritical
Detect Windows DNS SIGRed via Splunk Stream
splunk_escu
Detect Windows DNS SIGRed via Zeek
splunk_escu
Download From Suspicious TLD - Blacklist
sigmalow
Download From Suspicious TLD - Whitelist
sigmalow
Execution of File Written or Modified by Microsoft Office
elastichigh
Exploit - Detected - Elastic Endgame
elastichigh
Exploit - Prevented - Elastic Endgame
elasticmedium
File Creation by Cups or Foomatic-rip Child
elasticmedium
Java Running with Remote Debugging
sigmamedium
Link: CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability
sublimecritical
Mass campaign: Cross Site Scripting (XSS) attempt
sublimemedium
Network Connection by Cups or Foomatic-rip Child
elastichigh
Network Connection Initiated By Eqnedt32.EXE
sigmahigh
Office Application Initiated Network Connection To Non-Local IP
sigmamedium
OMIGOD SCX RunAsProvider ExecuteScript
sigmahigh
OMIGOD SCX RunAsProvider ExecuteShellCommand
sigmahigh
Open redirect: City of Calgary
sublimemedium
Outlook hyperlink bypass: left-to-right mark (LRM) in base HTML tag
sublimemedium
Potential CVE-2025-33053 Exploitation
elastichigh
Potential Foxmail Exploitation
elastichigh
Potential Git CVE-2025-48384 Exploitation
elastichigh
Potential JAVA/JNDI Exploitation Attempt
elastichigh
Potential Notepad Markdown RCE Exploitation
elastichigh
Potential SAP NetWeaver Exploitation
elastichigh
Potential SAP NetWeaver WebShell Creation
elastichigh
Potential Shell via Wildcard Injection Detected
elasticmedium
Potentially Suspicious Child Process of KeyScrambler.exe
sigmamedium
Potentially Suspicious Child Process Of WinRAR.EXE
sigmamedium
Printer User (lp) Shell Execution
elastichigh
Sunburst Correlation DLL and Network Event
splunk_escu
Suspicious ArcSOC.exe Child Process
sigmahigh
Suspicious Browser Child Process
elastichigh
Suspicious Browser Child Process - MacOS
sigmamedium
Suspicious Communication App Child Process
elasticmedium
Suspicious Download and Execute Pattern via Curl/Wget
sigmahigh
Suspicious Execution from Foomatic-rip or Cupsd Parent
elastichigh
Suspicious HWP Sub Processes
sigmahigh
Suspicious Invocation of Shell via Rsync
sigmahigh
Suspicious macOS MS Office Child Process
elasticmedium
Suspicious Microsoft Diagnostics Wizard Execution
elastichigh
Suspicious MS Office Child Process
elasticmedium
Suspicious PDF Reader Child Process
elasticlow
Suspicious Spool Service Child Process
sigmahigh
Suspicious Zoom Child Process
elasticmedium
Unusual Executable File Creation by a System Critical Process
elastichigh
Windows MSC EvilTwin Directory Path Manipulation
splunk_escu
WPS Office Exploitation via DLL Hijack
elastichigh