Exploitation for Client Execution T1203

Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.

Events covered

11 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 44 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (32 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Image18ends_with 17, contains 2\cmd.exe, \cscript.exe, \mshta.exe, \dfsvc.exe, \powershell.exe
ParentImage14ends_with 13, eq 1\winrar.exe, \winword.exe, /node, \arcsoc.exe, \eqnedt32.exe
parent_process_name12eq 7, match 4, in 1(?i)EQNEDT32.EXE, excel.exe, outlook.exe, (?i)java\.exe, AcroRd32.exe
event.type10eq 10, ne 1start, creation, deletion
CommandLine9contains 6, regex_match 2, ends_with 1, eq 1, match 1&& echo, (?i).*mmc\.exe.*((Windows\s+\\\\System32)|(Windows\s+Syst..., -fssl, .jse, .spl
process_name7eq 7arp.exe, atbroker.exe, bginfo.exe, cmd.exe, conhost.exe
EventID5eq 57, 4688, 22
ImageLoaded4ends_with 2, starts_with 1, wildcard 1?:\users\*\appdata\local\temp\wps\inetcache\*, \\*, \\\\, \\sdiageng.dll, \device\mup\**
OriginalFileName4eq 4cmd.exe, cscript.exe, mshta.exe, powershell.exe, rundll32.exe
TargetFilename4contains 2, ends_with 1, wildcard 1.cfg, .log, .txt, ?:\users\*\appdata\local\temp\wps\inetcache\*, \\*
Initiated3eq 3true
DestinationPort2eq 2443, 143, 25, 53, 80
EventType2eq 1, starts_with 1FileCreated, Image loaded
ParentCommandLine2contains 2.webp, wsuspool
Type2eq 2

Top indicator values (394 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
9241
Imageends_with
\cmd.exe
6134
Imageends_with
\powershell.exe
6186
Imageends_with
\pwsh.exe
6172
Imageends_with
\cscript.exe
476
Imageends_with
\rundll32.exe
4103
Imageends_with
\wscript.exe
478
Imageends_with
\mshta.exe
369
Imageends_with
\regsvr32.exe
368
Imageends_with
\dfsvc.exe
22
Imageends_with
\wmic.exe
261
EventIDeq
7
339
EventIDeq
4688
2312
Initiatedeq
true
348
OriginalFileNameeq
cmd.exe
365
OriginalFileNameeq
cscript.exe
319
OriginalFileNameeq
powershell.exe
3121
OriginalFileNameeq
pwsh.dll
3112
OriginalFileNameeq
rundll32.exe
362
OriginalFileNameeq
wscript.exe
320
parent_process_namematch
(?i)EQNEDT32.EXE
33
process_nameeq
cmd.exe
375
process_nameeq
ipconfig.exe
38
process_nameeq
netsh.exe
318
process_nameeq
powershell.exe
399
process_nameeq
pwsh.exe
360
CommandLinecontains
bun_environment.js
22
CommandLinecontains
https://github.com/actions/runner/releases/download/v2.330.0
22
DestinationPorteq
443
210
DestinationPorteq
80
212

Exclusions (199 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
process.code_signature.trustedeq
true
3
DestinationPorteq
443
2
DestinationPorteq
80
2
Imagewildcard
?:\users\*\appdata\local\google\chrome\application\chrome.exe
2
Imagewildcard
?:\users\*\appdata\local\island\island\application\island.exe
2
Imagewildcard
?:\users\*\appdata\local\mozilla firefox\firefox.exe
2
Imagewildcard
?:\windows\system32\werfault.exe
2
Imagewildcard
?:\windows\syswow64\werfault.exe
2
dest_ipcidr_match
10.0.0.0/8
2
dest_ipcidr_match
127.0.0.0/8
2
dest_ipcidr_match
169.254.0.0/16
2
dest_ipcidr_match
172.16.0.0/12
2
dest_ipcidr_match
192.168.0.0/16
2
dest_ipcidr_match
::1/128
2
dest_ipcidr_match
fc00::/7
2

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 22 rules

Elastic 11 rules

Splunk 8 rules

Kusto 3 rules