Applied Cybernetics Group
T1203 — Exploitation for Client Execution
- Technique
T1203- Tactics
- Execution
- MISP citations
- 0
- KEV CVEs mapped
- 43
- Community rules
- 33
- thrunt rules
- 0
- Upstream
- https://attack.mitre.org/techniques/T1203
MITRE description
Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility. Several types exist: ### Browser-based Exploitation Web browsers are a common target through [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) and [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed. ### Office Applications Common office and productivity applications such as Microsoft Office are also targeted through [Phishing](https://attack.mitre.org/techniques/T1566). Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run. ### Common Third-party Applications Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.
KEV CVEs mapped to this technique
Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.
CVE-2025-6558CVE-2025-6554CVE-2025-6543CVE-2025-5419CVE-2025-4427CVE-2025-43200CVE-2025-42999CVE-2025-3935CVE-2025-3248CVE-2025-31201CVE-2025-31200CVE-2025-30406CVE-2025-30397CVE-2025-2783CVE-2025-27038CVE-2025-24993CVE-2025-24016CVE-2024-5274CVE-2024-45195CVE-2024-26169CVE-2024-11120CVE-2023-49897CVE-2023-47565CVE-2023-36844CVE-2023-34048CVE-2023-26369CVE-2023-23397CVE-2023-21608CVE-2022-43769CVE-2022-41128CVE-2022-23748CVE-2022-20703CVE-2022-20701CVE-2021-39144CVE-2021-37975CVE-2021-30554CVE-2021-29256CVE-2021-27059CVE-2021-21206CVE-2021-21166CVE-2021-21148CVE-2018-4939CVE-2015-5119
Detection coverage
SigmaHQ community rules
- Exploit for CVE-2017-0261 (emerging-threats)
- Droppers Exploiting CVE-2017-11882 (emerging-threats)
- Exploit for CVE-2017-8759 (emerging-threats)
- Potential CVE-2021-26857 Exploitation Attempt (emerging-threats)
- CVE-2021-26858 Exchange Exploitation (emerging-threats)
- CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum (emerging-threats)
- CVE-2021-31979 CVE-2021-33771 Exploits (emerging-threats)
- OMIGOD HTTP No Authentication RCE - CVE-2021-38647 (emerging-threats)
- CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process (emerging-threats)
- Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE (emerging-threats)
- Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process (emerging-threats)
- Exploitation Activity of CVE-2025-59287 - WSUS Deserialization (emerging-threats)
- Shai-Hulud Malicious Bun Execution - Linux (emerging-threats)
- Shai-Hulud Malicious Bun Execution (emerging-threats)
- Dfsvc.EXE Network Connection To Non-Local IPs (threat-hunting)
- Dfsvc.EXE Initiated Network Connection Over Uncommon Port (threat-hunting)
- Antivirus Exploitation Framework Detection (core)
- Suspicious Download and Execute Pattern via Curl/Wget (core)
- OMIGOD SCX RunAsProvider ExecuteScript (core)
- OMIGOD SCX RunAsProvider ExecuteShellCommand (core)
- Suspicious Invocation of Shell via Rsync (core)
- Suspicious Browser Child Process - MacOS (core)
- Download From Suspicious TLD - Blacklist (core)
- Download From Suspicious TLD - Whitelist (core)
- Audit CVE Event (core)
Showing 25 of 33 community rules —
the full set is tagged attack.t1203 in
SigmaHQ.