Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >ATTACK
  3. >Execution
  4. >ATTACK-T1203
ATTACK-T1203Active

Exploitation for Client Execution

Statement

Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.

Several types exist:

Browser-based Exploitation

Web browsers are a common target through Drive-by Compromise and Spearphishing Link. Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.

Office Applications

Common office and productivity applications such as Microsoft Office are also targeted through Phishing. Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.

Common Third-party Applications

Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.

Location

Tactic
Execution

Technique Details

Identifier
ATTACK-T1203
ATT&CK Page
View on MITRE

Tactics

Execution

Platforms

LinuxmacOSWindows

Detection

Exploitation for Client Execution – cross-platform behavior chain (browser/Office/3rd-party apps)

Mitigations

Exploit Protection: Deploy capabilities that detect, block, and mitigate conditions indicative of software exploits. These capabilities aim to prevent exploitation by addressing vulnerabilities, monitoring anomalous behaviors, and applying exploit-mitigation techniques to harden systems and software.

Operating System Exploit Protections:

  • Use Case: Enable built-in exploit protection features provided by modern operating systems, such as Microsoft's Exploit Protection, which includes techniques like Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG).
  • Implementation: Enforce DEP for all programs and enable ASLR to randomize memory addresses used by system and application processes. Windows: Configure Exploit Protection through the Windows Security app or deploy settings via Group Policy. ExploitProtectionExportSettings.exe -path "exploit_settings.xml" Linux: Use Kernel-level hardening features like SELinux, AppArmor, or GRSEC to enforce memory protections and prevent exploits.

Third-Party Endpoint Security:

  • Use Case: Use endpoint protection tools with built-in exploit protection, such as enhanced memory protection, behavior monitoring, and real-time exploit detection.
  • Implementation: Deploy tools to detect and block exploitation attempts targeting unpatched software.

Virtual Patching:

  • Use Case: Use tools to implement virtual patches that mitigate vulnerabilities in applications or operating systems until official patches are applied.
  • Implementation: Use Intrusion Prevention System (IPS) to block exploitation attempts on known vulnerabilities in outdated applications.

Hardening Application Configurations:

  • Use Case: Disable risky application features that can be exploited, such as macros in Microsoft Office or JScript in Internet Explorer.
  • Implementation: Configure Microsoft Office Group Policies to disable execution of macros in downloaded files.

Update Software: Software updates ensure systems are protected against known vulnerabilities by applying patches and upgrades provided by vendors. Regular updates reduce the attack surface and prevent adversaries from exploiting known security gaps. This includes patching operating systems, applications, drivers, and firmware. This mitigation can be implemented through the following measures:

Regular Operating System Updates

  • Implementation: Apply the latest Windows security updates monthly using WSUS (Windows Server Update Services) or a similar patch management solution. Configure systems to check for updates automatically and schedule reboots during maintenance windows.
  • Use Case: Prevents exploitation of OS vulnerabilities such as privilege escalation or remote code execution.

Application Patching

  • Implementation: Monitor Apache's update release notes for security patches addressing vulnerabilities. Schedule updates for off-peak hours to avoid downtime while maintaining security compliance.
  • Use Case: Prevents exploitation of web application vulnerabilities, such as those leading to unauthorized access or data breaches.

Firmware Updates

  • Implementation: Regularly check the vendor’s website for firmware updates addressing vulnerabilities. Plan for update deployment during scheduled maintenance to minimize business disruption.
  • Use Case: Protects against vulnerabilities that adversaries could exploit to gain access to network devices or inject malicious traffic.

Emergency Patch Deployment

  • Implementation: Use the emergency patch deployment feature of the organization's patch management tool to apply updates to all affected Exchange servers within 24 hours.
  • Use Case: Reduces the risk of exploitation by rapidly addressing critical vulnerabilities.

Centralized Patch Management

  • Implementation: Implement a centralized patch management system, such as SCCM or ManageEngine, to automate and track patch deployment across all environments. Generate regular compliance reports to ensure all systems are updated.
  • Use Case: Streamlines patching processes and ensures no critical systems are missed.

Tools for Implementation

Patch Management Tools:

  • WSUS: Manage and deploy Microsoft updates across the organization.
  • ManageEngine Patch Manager Plus: Automate patch deployment for OS and third-party apps.
  • Ansible: Automate updates across multiple platforms, including Linux and Windows.

Vulnerability Scanning Tools:

  • OpenVAS: Open-source vulnerability scanning to identify missing patches.

Application Isolation and Sandboxing: Application Isolation and Sandboxing refers to the technique of restricting the execution of code to a controlled and isolated environment (e.g., a virtual environment, container, or sandbox). This method prevents potentially malicious code from affecting the rest of the system or network by limiting access to sensitive resources and critical operations. The goal is to contain threats and minimize their impact. This mitigation can be implemented through the following measures:

Browser Sandboxing:

  • Use Case: Implement browser sandboxing to isolate untrusted web content and prevent malicious web pages or scripts from accessing sensitive system resources or initiating unauthorized downloads.
  • Implementation: Use browsers with built-in sandboxing features (e.g., Google Chrome, Microsoft Edge) or deploy enhanced browser security frameworks that limit the execution scope of active content. Consider controls that monitor or restrict script-based file generation and downloads commonly abused in evasion techniques like HTML smuggling.

Application Virtualization:

  • Use Case: Deploy critical or high-risk applications in a virtualized environment to ensure any compromise does not affect the host system.
  • Implementation: Use application virtualization platforms to run applications in isolated environments.

Email Attachment Sandboxing:

  • Use Case: Route email attachments to a sandbox environment to detect and block malware before delivering emails to end-users.
  • Implementation: Integrate security solutions with sandbox capabilities to analyze email attachments.

Endpoint Sandboxing:

  • Use Case: Run all downloaded files and applications in a restricted environment to monitor their behavior for malicious activity.
  • Implementation: Use endpoint protection tools for sandboxing at the endpoint level.
SP 800-53
SP800-53-AC-4relatedvia ctid-attack-to-sp800-53
SP800-53-AC-6relatedvia ctid-attack-to-sp800-53
SP800-53-CA-7relatedvia ctid-attack-to-sp800-53
SP800-53-CM-8relatedvia ctid-attack-to-sp800-53
SP800-53-SC-18relatedvia ctid-attack-to-sp800-53
View in graphReport an issue
← Back to Execution
Execution45 controls
ATTACK-T1047Windows Management InstrumentationATTACK-T1053Scheduled Task/JobATTACK-T1053.002AtATTACK-T1053.003CronATTACK-T1053.005Scheduled TaskATTACK-T1053.006Systemd TimersATTACK-T1053.007Container Orchestration JobATTACK-T1059Command and Scripting InterpreterATTACK-T1059.001PowerShellATTACK-T1059.002AppleScriptATTACK-T1059.003Windows Command ShellATTACK-T1059.004Unix ShellATTACK-T1059.005Visual BasicATTACK-T1059.006PythonATTACK-T1059.007JavaScriptATTACK-T1059.008Network Device CLIATTACK-T1059.009Cloud APIATTACK-T1059.010AutoHotKey & AutoITATTACK-T1059.011LuaATTACK-T1059.012Hypervisor CLIATTACK-T1059.013Container CLI/APIATTACK-T1072Software Deployment ToolsATTACK-T1106Native APIATTACK-T1129Shared ModulesATTACK-T1203Exploitation for Client ExecutionATTACK-T1204User ExecutionATTACK-T1204.001Malicious LinkATTACK-T1204.002Malicious FileATTACK-T1204.003Malicious ImageATTACK-T1204.004Malicious Copy and PasteATTACK-T1204.005Malicious LibraryATTACK-T1559Inter-Process CommunicationATTACK-T1559.001Component Object ModelATTACK-T1559.002Dynamic Data ExchangeATTACK-T1559.003XPC ServicesATTACK-T1569System ServicesATTACK-T1569.001LaunchctlATTACK-T1569.002Service ExecutionATTACK-T1569.003SystemctlATTACK-T1609Container Administration CommandATTACK-T1648Serverless ExecutionATTACK-T1651Cloud Administration CommandATTACK-T1674Input InjectionATTACK-T1675ESXi Administration CommandATTACK-T1677Poisoned Pipeline Execution