Skip to content

Latest commit

 

History

History
89 lines (76 loc) · 6.93 KB

exploitation-for-client-execution.md

File metadata and controls

89 lines (76 loc) · 6.93 KB
Raw
ID E1203
Objective(s) Execution, Impact
Related ATT&CK Techniques Exploitation for Client Execution (T1203)
Impact Type Breach
Version 3.2
Created 1 August 2019
Last Modified 30 April 2024

Exploitation for Client Execution

Software is exploited - either because of a vulnerability or through its designed features - to gain access for malware. In general, exploitation may be done by a human attacker, but MBC focuses on software exploits implemented in code. Malware-specific details are below.

See ATT&CK: Exploitation for Client Execution (T1203).

Methods

Name ID Description
File Transfer Protocol (FTP) Servers E1203.m03 Malware leverages an FTP server.
Java-based Web Servers E1203.m02 Malware leverages a Java-based web server.
Red Hat JBoss Enterprise Products E1203.m04 Malware leverages JBoss Enterprise products.
Remote Desktop Protocols E1203.m01 RDP is used by malware.
Sysinternals E1203.m05 Sysinternals tools are used for additional command line functionality.
Windows Utilities E1203.m06 One or more Windows utilities are used.

Use in Malware

Name Date Method Description
SamSam 2015 E1203.m01 Attackers associated with SamSam exploit vulnerabilities in remote desktop protocols (RDP), Java-based web servers, or file transfer protocol (FTP) servers. [1]

Detection

Tool: CAPE Mapping APIs
office_cve2017_11882 Exploitation for Client Execution (E1203) CreateProcessInternalW
office_cve2017_11882_network Exploitation for Client Execution (E1203) ConnectEx, URLDownloadToFileW
office_flash_load Exploitation for Client Execution (E1203) CoGetClassObject, CoCreateInstance
office_postscript Exploitation for Client Execution (E1203) NtWriteFile
persistence_rdp_registry Exploitation for Client Execution::Remote Desktop Protocols (E1203.m01) --
exploit_getbasekerneladdress Exploitation for Client Execution (E1203) EnumDeviceDrivers, LdrGetProcedureAddress, LdrLoadDll, K32EnumDeviceDrivers
cve_2016_7200 Exploitation for Client Execution (E1203) JsEval, COleScript_ParseScriptText, COleScript_Compile
stack_pivot Exploitation for Client Execution (E1203) VirtualProtectEx, NtAllocateVirtualMemory, NtMapViewOfSection, NtWriteVirtualMemory, NtWow64WriteVirtualMemory64, URLDownloadToFileW, WriteProcessMemory, NtProtectVirtualMemory
stack_pivot_file_created Exploitation for Client Execution (E1203) NtCreateFile
stack_pivot_process_create Exploitation for Client Execution (E1203) NtCreateUserProcess, CreateProcessInternalW
uses_windows_utilities Exploitation for Client Execution::Windows Utilities (E1203.m06) --
uses_windows_utilities_curl Exploitation for Client Execution::Windows Utilities (E1203.m06) --
cve_2014_6332 Exploitation for Client Execution (E1203) JsEval, COleScript_ParseScriptText, COleScript_Compile
exploit_gethaldispatchtable Exploitation for Client Execution (E1203) LdrGetProcedureAddress, LdrLoadDll
cve_2015_2419_js Exploitation for Client Execution (E1203) JsEval, COleScript_ParseScriptText, COleScript_Compile
sysinternals_psexec Exploitation for Client Execution (E1203) --
sysinternals_psexec Exploitation for Client Execution::Sysinternals (E1203.m05) --
sysinternals_tools Exploitation for Client Execution (E1203) --
sysinternals_tools Exploitation for Client Execution::Sysinternals (E1203.m05) --
uses_rdp_clip Exploitation for Client Execution::Remote Desktop Protocols (E1203.m01) --
uses_remote_desktop_session Exploitation for Client Execution::Remote Desktop Protocols (E1203.m01) --
cve_2016-0189 Exploitation for Client Execution (E1203) JsEval, COleScript_ParseScriptText, COleScript_Compile
exploit_heapspray Exploitation for Client Execution (E1203) NtAllocateVirtualMemory
rtf_aslr_bypass Exploitation for Client Execution (E1203) --
rtf_exploit_static Exploitation for Client Execution (E1203) --

References

[1] https://blog.malwarebytes.com/cybercrime/2018/05/samsam-ransomware-need-know/