Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Several types exist:
Web browsers are a common target through Drive-by Compromise and Spearphishing Link. Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.
Common office and productivity applications such as Microsoft Office are also targeted through Phishing. Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.
Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.
ID | Name | Description |
---|---|---|
G0018 | admin@338 |
admin@338 has exploited client software vulnerabilities for execution, such as Microsoft Word CVE-2012-0158.[1] |
S0331 | Agent Tesla |
Agent Tesla has exploited Office vulnerabilities such as CVE-2017-11882 and CVE-2017-8570 for execution during delivery.[2] |
G0138 | Andariel |
Andariel has exploited numerous ActiveX vulnerabilities, including zero-days.[3][4][5] |
G0005 | APT12 |
APT12 has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities (CVE-2009-3129, CVE-2012-0158) and vulnerabilities in Adobe Reader and Flash (CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, CVE-2011-0611).[6][7] |
G0007 | APT28 |
APT28 has exploited Microsoft Office vulnerability CVE-2017-0262 for execution.[8] |
G0016 | APT29 |
APT29 has used multiple software exploits for common client software, like Microsoft Word, Exchange, and Adobe Reader, to gain code execution.[9][10][11] |
G0022 | APT3 |
APT3 has exploited the Adobe Flash Player vulnerability CVE-2015-3113 and Internet Explorer vulnerability CVE-2014-1776.[12][13] |
G0050 | APT32 |
APT32 has used RTF document that includes an exploit to execute malicious code. (CVE-2017-11882)[14] |
G0064 | APT33 |
APT33 has attempted to exploit a known vulnerability in WinRAR (CVE-2018-20250), and attempted to gain remote code execution via a security bypass vulnerability (CVE-2017-11774).[15][16] |
G0067 | APT37 |
APT37 has used exploits for Flash Player (CVE-2016-4117, CVE-2018-4878), Word (CVE-2017-0199), Internet Explorer (CVE-2020-1380 and CVE-2020-26411), and Microsoft Edge (CVE-2021-26411) for execution.[17][18][19][20] |
G0096 | APT41 |
APT41 leveraged the follow exploits in their operations: CVE-2012-0158, CVE-2015-1641, CVE-2017-0199, CVE-2017-11882, and CVE-2019-3396.[21] |
S0239 | Bankshot |
Bankshot leverages a known zero-day vulnerability in Adobe Flash to execute the implant into the victims’ machines.[22] |
G0098 | BlackTech |
BlackTech has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities CVE-2012-0158, CVE-2014-6352, CVE-2017-0199, and Adobe Flash CVE-2015-5119. |
G0060 | BRONZE BUTLER |
BRONZE BUTLER has exploited Microsoft Office vulnerabilities CVE-2014-4114, CVE-2018-0802, and CVE-2018-0798 for execution.[23][24] |
G0080 | Cobalt Group |
Cobalt Group had exploited multiple vulnerabilities for execution, including Microsoft’s Equation Editor (CVE-2017-11882), an Internet Explorer vulnerability (CVE-2018-8174), CVE-2017-8570, CVE-2017-0199, and CVE-2017-8759.[25][26][27][28][29][30][31][32] |
S0154 | Cobalt Strike |
Cobalt Strike can exploit Oracle Java vulnerabilities for execution, including CVE-2011-3544, CVE-2013-2465, CVE-2012-4681, and CVE-2013-2460.[33][34] |
G0012 | Darkhotel |
Darkhotel has exploited Adobe Flash vulnerability CVE-2015-8651 for execution.[35] |
S0243 | DealersChoice |
DealersChoice leverages vulnerable versions of Flash to perform execution.[36] |
G0066 | Elderwood |
Elderwood has used exploitation of endpoint software, including Microsoft Internet Explorer Adobe Flash vulnerabilities, to gain execution. They have also used zero-day exploits.[37] |
S0396 | EvilBunny |
EvilBunny has exploited CVE-2011-4369, a vulnerability in the PRC component in Adobe Reader.[38] |
G0101 | Frankenstein |
Frankenstein has used CVE-2017-11882 to execute code on the victim's machine.[39] |
G0125 | HAFNIUM |
HAFNIUM has exploited CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to compromise on-premises versions of Microsoft Exchange Server, enabling access to email accounts and installation of additional malware.[40][41][42] |
S0391 | HAWKBALL |
HAWKBALL has exploited Microsoft Office vulnerabilities CVE-2017-11882 and CVE-2018-0802 to deliver the payload.[43] |
G0126 | Higaisa | |
G0100 | Inception |
Inception has exploited CVE-2012-0158, CVE-2014-1761, CVE-2017-11882 and CVE-2018-0802 for execution.[45][46][47][48] |
S0260 | InvisiMole |
InvisiMole has installed legitimate but vulnerable Total Video Player software and wdigest.dll library drivers on compromised hosts to exploit stack overflow and input validation vulnerabilities for code execution.[49] |
G0032 | Lazarus Group |
Lazarus Group has exploited Adobe Flash vulnerability CVE-2018-4878 for execution.[22] |
G0065 | Leviathan |
Leviathan has exploited multiple Microsoft Office and .NET vulnerabilities for execution, including CVE-2017-0199, CVE-2017-8759, and CVE-2017-11882.[50][51][52][53] |
G0069 | MuddyWater |
MuddyWater has exploited the Office vulnerability CVE-2017-0199 for execution.[54] |
G0129 | Mustang Panda |
Mustang Panda has exploited CVE-2017-0199 in Microsoft Word to execute code.[55] |
G0040 | Patchwork |
Patchwork uses malicious documents to deliver remote execution exploits as part of. The group has previously exploited CVE-2017-8570, CVE-2012-1856, CVE-2014-4114, CVE-2017-0199, CVE-2017-11882, and CVE-2015-1641.[56][57][58][59][60][61][62] |
S0458 | Ramsay |
Ramsay has been embedded in documents exploiting CVE-2017-0199, CVE-2017-11882, and CVE-2017-8570.[63][64] |
G0034 | Sandworm Team |
Sandworm Team has exploited vulnerabilities in Microsoft PowerPoint via OLE objects (CVE-2014-4114) and Microsoft Word via crafted TIFF images (CVE-2013-3906).[65][66][67] |
G0121 | Sidewinder |
Sidewinder has exploited vulnerabilities to gain execution including CVE-2017-11882 and CVE-2020-0674.[68][69] |
S0374 | SpeakUp |
SpeakUp attempts to exploit the following vulnerabilities in order to execute its malicious script: CVE-2012-0874, CVE-2010-1871, CVE-2017-10271, CVE-2018-2894, CVE-2016-3088, JBoss AS 3/4/5/6, and the Hadoop YARN ResourceManager. [70] |
S0578 | SUPERNOVA |
SUPERNOVA was installed via exploitation of a SolarWinds Orion API authentication bypass vulnerability (CVE-2020-10148).[71][72] |
G0062 | TA459 |
TA459 has exploited Microsoft Word vulnerability CVE-2017-0199 for execution.[73] |
G0089 | The White Company |
The White Company has taken advantage of a known vulnerability in Microsoft Word (CVE 2012-0158) to execute code.[74] |
G0027 | Threat Group-3390 |
Threat Group-3390 has exploited the Microsoft SharePoint vulnerability CVE-2019-0604.[75] |
G0131 | Tonto Team |
Tonto Team has exploited Microsoft vulnerabilities, including CVE-2018-8174, CVE-2018-0802, and CVE-2017-11882, as well as other vulnerabilities such as CVE-2019-9489 and CVE-2020-8468, to enable execution of their delivered malicious payloads.[76][77] |
G0134 | Transparent Tribe |
Transparent Tribe has crafted malicious files to exploit CVE-2012-0158 and CVE-2010-3333 for execution.[78] |
G0081 | Tropic Trooper |
Tropic Trooper has executed commands through Microsoft security vulnerabilities, including CVE-2017-11882, CVE-2018-0802, and CVE-2012-0158.[79][80] |
S0341 | Xbash |
Xbash can attempt to exploit known vulnerabilities in Hadoop, Redis, or ActiveMQ when it finds those services running in order to conduct further execution.[81][82] |
ID | Mitigation | Description |
---|---|---|
M1048 | Application Isolation and Sandboxing |
Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. [83] [84] Other types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. Risks of additional exploits and weaknesses in those systems may still exist. [84] |
M1050 | Exploit Protection |
Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. [85] Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. [86] Many of these protections depend on the architecture and target application binary for compatibility. |
Detecting software exploitation may be difficult depending on the tools available. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the browser or Office processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution, evidence of Discovery, or other unusual network traffic that may indicate additional tools transferred to the system.