EXPLORE
Sign In
← Back to Explore
T1203

Exploitation for Client Execution

Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain ...

LinuxmacOSWindows
75
Detections
4
Sources
41
Threat Actors

BY SOURCE

27elastic19sigma17sublime12splunk_escu

PROCEDURES (44)

General Monitoring11 detections

Auto-extracted: 11 detections for general monitoring

Child Process3 detections

Auto-extracted: 3 detections for child process

Attachment3 detections

Auto-extracted: 3 detections for attachment

Phish3 detections

Auto-extracted: 3 detections for phish

Network Connection Monitoring3 detections

Auto-extracted: 3 detections for network connection monitoring

Service2 detections

Auto-extracted: 2 detections for service

Aws2 detections

Auto-extracted: 2 detections for aws

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Child Process2 detections

Auto-extracted: 2 detections for child process

Download2 detections

Auto-extracted: 2 detections for download

Script Execution Monitoring2 detections

Auto-extracted: 2 detections for script execution monitoring

Azure2 detections

Auto-extracted: 2 detections for azure

Remote2 detections

Auto-extracted: 2 detections for remote

Lateral1 detections

Auto-extracted: 1 detections for lateral

Email Security1 detections

Auto-extracted: 1 detections for email security

Attachment1 detections

Auto-extracted: 1 detections for attachment

Remote1 detections

Auto-extracted: 1 detections for remote

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Inject1 detections

Auto-extracted: 1 detections for inject

Macro1 detections

Auto-extracted: 1 detections for macro

Child Process1 detections

Auto-extracted: 1 detections for child process

Macro1 detections

Auto-extracted: 1 detections for macro

Unusual1 detections

Auto-extracted: 1 detections for unusual

Lateral1 detections

Auto-extracted: 1 detections for lateral

Email1 detections

Auto-extracted: 1 detections for email

Email1 detections

Auto-extracted: 1 detections for email

Inject1 detections

Auto-extracted: 1 detections for inject

Command Line Monitoring1 detections

Auto-extracted: 1 detections for command line monitoring

Office1 detections

Auto-extracted: 1 detections for office

Office1 detections

Auto-extracted: 1 detections for office

Macro1 detections

Auto-extracted: 1 detections for macro

Office1 detections

Auto-extracted: 1 detections for office

Aws1 detections

Auto-extracted: 1 detections for aws

Macro1 detections

Auto-extracted: 1 detections for macro

Office1 detections

Auto-extracted: 1 detections for office

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Inject1 detections

Auto-extracted: 1 detections for inject

Child Process1 detections

Auto-extracted: 1 detections for child process

Download1 detections

Auto-extracted: 1 detections for download

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Privilege1 detections

Auto-extracted: 1 detections for privilege

Child Process1 detections

Auto-extracted: 1 detections for child process

THREAT ACTORS (41)

admin@338AndarielAoqin DragonAPT12APT28APT29APT3APT32APT33APT37APT41AxiomBITTERBlackTechBRONZE BUTLERCobalt GroupConfuciusDarkhotelDragonflyElderwoodEmber BearEXOTIC LILYHigaisaInceptionLazarus GroupLeviathanMuddyWaterMustang PandaOilRigPatchworkSaint BearSandworm TeamSea TurtleSidewinderTA459The White CompanyThreat Group-3390Tonto TeamTransparent TribeTropic TrooperUNC3886

DETECTIONS (75)

Anomalous Windows Process Creation
elasticlow
Anthropic Magic String in HTML
sublimelow
Antivirus Exploitation Framework Detection
sigmacritical
Attachment: Archive containing HTML file with file scheme link
sublimehigh
Attachment: Archive contains DLL-loading macro
sublimehigh
Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability
sublimecritical
Attachment: CVE-2023-21716 - Microsoft Office Remote Code Execution Vulnerability
sublimehigh
Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability
sublimecritical
Attachment: LNK with embedded content
sublimehigh
Attachment: WinRAR CVE-2025-8088 exploitation
sublimehigh
Attachment: ZIP file with CVE-2026-0866 exploit
sublimemedium
Audit CVE Event
sigmacritical
Callback Phishing via Signable E-Signature Request
sublimehigh
Callback phishing via SignFree e-signature request
sublimehigh
Callback phishing via Xodo Sign comment
sublimehigh
Cisco Secure Firewall - Binary File Type Download
splunk_escu
Cisco Secure Firewall - Blocked Connection
splunk_escu
Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt
splunk_escu
Cisco Secure Firewall - High Priority Intrusion Classification
splunk_escu
Cisco Secure Firewall - Malware File Downloaded
splunk_escu
Cisco Secure Firewall - Possibly Compromised Host
splunk_escu
Cisco Secure Firewall - Repeated Blocked Connections
splunk_escu
Cupsd or Foomatic-rip Shell Execution
elastichigh
CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG
sublimecritical
Detect Windows DNS SIGRed via Splunk Stream
splunk_escu
Detect Windows DNS SIGRed via Zeek
splunk_escu
Dfsvc.EXE Initiated Network Connection Over Uncommon Port
sigmahigh
Dfsvc.EXE Network Connection To Non-Local IPs
sigmamedium
Download From Suspicious TLD - Blacklist
sigmalow
Download From Suspicious TLD - Whitelist
sigmalow
Execution of File Written or Modified by Microsoft Office
elastichigh
Exploit - Detected - Elastic Endgame
elastichigh
Exploit - Prevented - Elastic Endgame
elasticmedium
File Creation by Cups or Foomatic-rip Child
elasticmedium
Java Running with Remote Debugging
sigmamedium
Link: CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability
sublimecritical
Mass campaign: Cross Site Scripting (XSS) attempt
sublimemedium
Network Connection by Cups or Foomatic-rip Child
elastichigh
Network Connection Initiated By Eqnedt32.EXE
sigmahigh
Office Application Initiated Network Connection To Non-Local IP
sigmamedium
OMIGOD SCX RunAsProvider ExecuteScript
sigmahigh
OMIGOD SCX RunAsProvider ExecuteShellCommand
sigmahigh
Open redirect: City of Calgary
sublimemedium
Outlook hyperlink bypass: left-to-right mark (LRM) in base HTML tag
sublimemedium
Potential CVE-2025-33053 Exploitation
elastichigh
Potential Foxmail Exploitation
elastichigh
Potential Git CVE-2025-48384 Exploitation
elastichigh
Potential JAVA/JNDI Exploitation Attempt
elastichigh
Potential Notepad Markdown RCE Exploitation
elastichigh
Potential SAP NetWeaver Exploitation
elastichigh
Potential SAP NetWeaver WebShell Creation
elastichigh
Potential Shell via Wildcard Injection Detected
elasticmedium
Potentially Suspicious Child Process of KeyScrambler.exe
sigmamedium
Potentially Suspicious Child Process Of WinRAR.EXE
sigmamedium
Printer User (lp) Shell Execution
elastichigh
Segfault from Sensitive Process Detected
elasticmedium
Sunburst Correlation DLL and Network Event
splunk_escu
Suspicious ArcSOC.exe Child Process
sigmahigh
Suspicious Browser Child Process
elastichigh
Suspicious Browser Child Process - MacOS
sigmamedium
Suspicious Communication App Child Process
elasticmedium
Suspicious Download and Execute Pattern via Curl/Wget
sigmahigh
Suspicious Execution from Foomatic-rip or Cupsd Parent
elastichigh
Suspicious HWP Sub Processes
sigmahigh
Suspicious Invocation of Shell via Rsync
sigmahigh
Suspicious macOS MS Office Child Process
elasticmedium
Suspicious Microsoft Diagnostics Wizard Execution
elastichigh
Suspicious MS Office Child Process
elasticmedium
Suspicious PDF Reader Child Process
elasticlow
Suspicious Spool Service Child Process
sigmahigh
Suspicious Zoom Child Process
elasticmedium
Unusual Executable File Creation by a System Critical Process
elastichigh
Windows MSC EvilTwin Directory Path Manipulation
splunk_escu
Windows Remote Image Load
splunk_escu
WPS Office Exploitation via DLL Hijack
elastichigh