Exploitation for Client Execution

October 2, 2024 ยท View on GitHub

ID E1203
Objective(s) Execution, Impact
Related ATT&CK Techniques Exploitation for Client Execution (T1203)
Impact Type Breach
Version 3.2
Created 1 August 2019
Last Modified 30 April 2024

Exploitation for Client Execution

Software is exploited - either because of a vulnerability or through its designed features - to gain access for malware. In general, exploitation may be done by a human attacker, but MBC focuses on software exploits implemented in code. Malware-specific details are below.

See ATT&CK: Exploitation for Client Execution (T1203).

Methods

NameIDDescription
File Transfer Protocol (FTP) ServersE1203.m03Malware leverages an FTP server.
Java-based Web ServersE1203.m02Malware leverages a Java-based web server.
Red Hat JBoss Enterprise ProductsE1203.m04Malware leverages JBoss Enterprise products.
Remote Desktop ProtocolsE1203.m01RDP is used by malware.
SysinternalsE1203.m05Sysinternals tools are used for additional command line functionality.
Windows UtilitiesE1203.m06One or more Windows utilities are used.

Use in Malware

NameDateMethodDescription
SamSam2015E1203.m01Attackers associated with SamSam exploit vulnerabilities in remote desktop protocols (RDP), Java-based web servers, or file transfer protocol (FTP) servers. [1]

Detection

Tool: CAPEMappingAPIs
office_cve2017_11882Exploitation for Client Execution (E1203)CreateProcessInternalW
office_cve2017_11882_networkExploitation for Client Execution (E1203)ConnectEx, URLDownloadToFileW
office_flash_loadExploitation for Client Execution (E1203)CoGetClassObject, CoCreateInstance
office_postscriptExploitation for Client Execution (E1203)NtWriteFile
persistence_rdp_registryExploitation for Client Execution::Remote Desktop Protocols (E1203.m01)--
exploit_getbasekerneladdressExploitation for Client Execution (E1203)EnumDeviceDrivers, LdrGetProcedureAddress, LdrLoadDll, K32EnumDeviceDrivers
cve_2016_7200Exploitation for Client Execution (E1203)JsEval, COleScript_ParseScriptText, COleScript_Compile
stack_pivotExploitation for Client Execution (E1203)VirtualProtectEx, NtAllocateVirtualMemory, NtMapViewOfSection, NtWriteVirtualMemory, NtWow64WriteVirtualMemory64, URLDownloadToFileW, WriteProcessMemory, NtProtectVirtualMemory
stack_pivot_file_createdExploitation for Client Execution (E1203)NtCreateFile
stack_pivot_process_createExploitation for Client Execution (E1203)NtCreateUserProcess, CreateProcessInternalW
uses_windows_utilitiesExploitation for Client Execution::Windows Utilities (E1203.m06)--
uses_windows_utilities_curlExploitation for Client Execution::Windows Utilities (E1203.m06)--
cve_2014_6332Exploitation for Client Execution (E1203)JsEval, COleScript_ParseScriptText, COleScript_Compile
exploit_gethaldispatchtableExploitation for Client Execution (E1203)LdrGetProcedureAddress, LdrLoadDll
cve_2015_2419_jsExploitation for Client Execution (E1203)JsEval, COleScript_ParseScriptText, COleScript_Compile
sysinternals_psexecExploitation for Client Execution (E1203)--
sysinternals_psexecExploitation for Client Execution::Sysinternals (E1203.m05)--
sysinternals_toolsExploitation for Client Execution (E1203)--
sysinternals_toolsExploitation for Client Execution::Sysinternals (E1203.m05)--
uses_rdp_clipExploitation for Client Execution::Remote Desktop Protocols (E1203.m01)--
uses_remote_desktop_sessionExploitation for Client Execution::Remote Desktop Protocols (E1203.m01)--
cve_2016-0189Exploitation for Client Execution (E1203)JsEval, COleScript_ParseScriptText, COleScript_Compile
exploit_heapsprayExploitation for Client Execution (E1203)NtAllocateVirtualMemory
rtf_aslr_bypassExploitation for Client Execution (E1203)--
rtf_exploit_staticExploitation for Client Execution (E1203)--

References

[1] https://blog.malwarebytes.com/cybercrime/2018/05/samsam-ransomware-need-know/