Exploitation for Client Execution
Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility. Several types exist: ### Browser-based Exploitation Web browsers are a common target through Drive-by Compromise and Spearphishing Link. Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed. ### Office Applications Common office and productivity applications such as Microsoft Office are also targeted through Phishing. Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run. ### Common Third-party Applications Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.
Open detection, hunting, mitigation, and evidence workspace
Detection logic
Detecting software exploitation may be difficult depending on the tools available. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the browser or Office processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system.
Observed actors
G0066APT3
G0022EXOTIC LILY
G1011admin@338
G0018Patchwork
G0040APT41
G0096Dragonfly
G0035APT32
G0050MuddyWater
G0069Sandworm Team
G0034Andariel
G0138Sidewinder
G0121Mustang Panda
G0129APT37
G0067Higaisa
G0126Tropic Trooper
G0081TA459
G0062Aoqin Dragon
G1007The White Company
G0089Saint Bear
G1031Confucius
G0142BlackTech
G0098Leviathan
G0065BITTER
G1002APT29
G0016BRONZE BUTLER
G0060Darkhotel
G0012Axiom
G0001Ember Bear
G1003APT28
G0007APT12
G0005Tonto Team
G0131Lazarus Group
G0032Cobalt Group
G0080Transparent Tribe
G0134Inception
G0100Threat Group-3390
G0027APT33
G0064