Exploitation for Client Execution
October 2, 2024 ยท View on GitHub
| ID | E1203 |
| Objective(s) | Execution, Impact |
| Related ATT&CK Techniques | Exploitation for Client Execution (T1203) |
| Impact Type | Breach |
| Version | 3.2 |
| Created | 1 August 2019 |
| Last Modified | 30 April 2024 |
Exploitation for Client Execution
Software is exploited - either because of a vulnerability or through its designed features - to gain access for malware. In general, exploitation may be done by a human attacker, but MBC focuses on software exploits implemented in code. Malware-specific details are below.
See ATT&CK: Exploitation for Client Execution (T1203).
Methods
| Name | ID | Description |
|---|---|---|
| File Transfer Protocol (FTP) Servers | E1203.m03 | Malware leverages an FTP server. |
| Java-based Web Servers | E1203.m02 | Malware leverages a Java-based web server. |
| Red Hat JBoss Enterprise Products | E1203.m04 | Malware leverages JBoss Enterprise products. |
| Remote Desktop Protocols | E1203.m01 | RDP is used by malware. |
| Sysinternals | E1203.m05 | Sysinternals tools are used for additional command line functionality. |
| Windows Utilities | E1203.m06 | One or more Windows utilities are used. |
Use in Malware
| Name | Date | Method | Description |
|---|---|---|---|
| SamSam | 2015 | E1203.m01 | Attackers associated with SamSam exploit vulnerabilities in remote desktop protocols (RDP), Java-based web servers, or file transfer protocol (FTP) servers. [1] |
Detection
| Tool: CAPE | Mapping | APIs |
|---|---|---|
| office_cve2017_11882 | Exploitation for Client Execution (E1203) | CreateProcessInternalW |
| office_cve2017_11882_network | Exploitation for Client Execution (E1203) | ConnectEx, URLDownloadToFileW |
| office_flash_load | Exploitation for Client Execution (E1203) | CoGetClassObject, CoCreateInstance |
| office_postscript | Exploitation for Client Execution (E1203) | NtWriteFile |
| persistence_rdp_registry | Exploitation for Client Execution::Remote Desktop Protocols (E1203.m01) | -- |
| exploit_getbasekerneladdress | Exploitation for Client Execution (E1203) | EnumDeviceDrivers, LdrGetProcedureAddress, LdrLoadDll, K32EnumDeviceDrivers |
| cve_2016_7200 | Exploitation for Client Execution (E1203) | JsEval, COleScript_ParseScriptText, COleScript_Compile |
| stack_pivot | Exploitation for Client Execution (E1203) | VirtualProtectEx, NtAllocateVirtualMemory, NtMapViewOfSection, NtWriteVirtualMemory, NtWow64WriteVirtualMemory64, URLDownloadToFileW, WriteProcessMemory, NtProtectVirtualMemory |
| stack_pivot_file_created | Exploitation for Client Execution (E1203) | NtCreateFile |
| stack_pivot_process_create | Exploitation for Client Execution (E1203) | NtCreateUserProcess, CreateProcessInternalW |
| uses_windows_utilities | Exploitation for Client Execution::Windows Utilities (E1203.m06) | -- |
| uses_windows_utilities_curl | Exploitation for Client Execution::Windows Utilities (E1203.m06) | -- |
| cve_2014_6332 | Exploitation for Client Execution (E1203) | JsEval, COleScript_ParseScriptText, COleScript_Compile |
| exploit_gethaldispatchtable | Exploitation for Client Execution (E1203) | LdrGetProcedureAddress, LdrLoadDll |
| cve_2015_2419_js | Exploitation for Client Execution (E1203) | JsEval, COleScript_ParseScriptText, COleScript_Compile |
| sysinternals_psexec | Exploitation for Client Execution (E1203) | -- |
| sysinternals_psexec | Exploitation for Client Execution::Sysinternals (E1203.m05) | -- |
| sysinternals_tools | Exploitation for Client Execution (E1203) | -- |
| sysinternals_tools | Exploitation for Client Execution::Sysinternals (E1203.m05) | -- |
| uses_rdp_clip | Exploitation for Client Execution::Remote Desktop Protocols (E1203.m01) | -- |
| uses_remote_desktop_session | Exploitation for Client Execution::Remote Desktop Protocols (E1203.m01) | -- |
| cve_2016-0189 | Exploitation for Client Execution (E1203) | JsEval, COleScript_ParseScriptText, COleScript_Compile |
| exploit_heapspray | Exploitation for Client Execution (E1203) | NtAllocateVirtualMemory |
| rtf_aslr_bypass | Exploitation for Client Execution (E1203) | -- |
| rtf_exploit_static | Exploitation for Client Execution (E1203) | -- |
References
[1] https://blog.malwarebytes.com/cybercrime/2018/05/samsam-ransomware-need-know/