T1203 IBM QRadar · QRadar

Detect Exploitation for Client Execution in IBM QRadar

Adversaries may exploit software vulnerabilities in client applications to execute code. This includes browser-based exploitation via drive-by compromise or spearphishing links, Office application exploitation through malicious attachments (CVE-2017-11882, CVE-2017-0262, CVE-2021-40444), and third-party application exploitation (Adobe Reader, Flash). These exploits cause vulnerable client software to execute attacker-controlled code, often spawning unexpected child processes or injecting shellcode into memory.

MITRE ATT&CK

Tactic
Execution
Technique
T1203 Exploitation for Client Execution
Canonical reference
https://attack.mitre.org/techniques/T1203/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  devicehostname AS Hostname,
  username AS User,
  CASE
    WHEN LOWER("ParentProcessPath") MATCHES '(?i).*(winword|excel|powerpnt|outlook|mspub|visio|onenote|msaccess)\.exe.*' THEN 'Office Application'
    WHEN LOWER("ParentProcessPath") MATCHES '(?i).*(chrome|firefox|msedge|iexplore|opera|brave)\.exe.*' THEN 'Browser'
    WHEN LOWER("ParentProcessPath") MATCHES '(?i).*(acrord32|acrobat|foxit|sumatrapdf)\.exe.*' THEN 'PDF Reader'
    ELSE 'Other'
  END AS ExploitVector,
  "ParentProcessPath",
  "ParentCommandLine",
  "ProcessPath",
  "CommandLine",
  CASE
    WHEN LOWER("ProcessPath") MATCHES '(?i).*(powershell|pwsh|mshta|regsvr32|rundll32|wscript|cscript)\.exe.*' THEN 'true'
    ELSE 'false'
  END AS HighRisk
FROM events
WHERE LOGSOURCETYPEID IN (12, 433)
  AND QIDNAME(qid) = 'Process Create'
  AND (
    LOWER("ParentProcessPath") MATCHES '(?i).*(winword|excel|powerpnt|outlook|mspub|visio|onenote|msaccess)\.exe.*'
    OR LOWER("ParentProcessPath") MATCHES '(?i).*(chrome|firefox|msedge|iexplore|opera|brave)\.exe.*'
    OR LOWER("ParentProcessPath") MATCHES '(?i).*(acrord32|acrobat|foxit|sumatrapdf)\.exe.*'
  )
  AND LOWER("ProcessPath") MATCHES '(?i).*(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msbuild|installutil|regasm|regsvcs|schtasks|wmic|msiexec)\.exe.*'
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
high severity medium confidence

IBM QRadar AQL query detecting T1203 client exploitation using Sysmon Process Create (Event ID 1) custom properties mapped via the Sysmon DSM. Correlates the ParentProcessPath custom property against known client application families (Office, browser, PDF reader) and ProcessPath against a curated LOLBin and script interpreter list. LOGSOURCETYPEID 12 covers WinCollect Windows Security and 433 covers Sysmon via Universal DSM. Requires ParentProcessPath and ProcessPath custom properties to be defined and extracted in QRadar's DSM Editor for the Sysmon log source.

Data Sources

IBM QRadar SIEMSysmon via WinCollect AgentMicrosoft Windows Security Event Log DSM

Required Tables

events

False Positives & Tuning

  • Business intelligence or finance team Office macros that legitimately call PowerShell or cmd.exe for scheduled report generation, SharePoint data sync, or ERP export automation
  • Enterprise GPO-deployed browser extensions that spawn msiexec.exe for silent component updates or DLP agent installation triggered by browser policy enforcement
  • PDF-based digital signing workflows in legal or compliance environments where Acrobat or Foxit calls certutil.exe for certificate chain validation during document signing
Download portable Sigma rule (.yml)

Other platforms for T1203

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Office Exploitation — Equation Editor Child Process

    Expected signal: Sysmon Event ID 1: Process Create with ParentImage containing eqnedt32.exe and Image=cmd.exe. Security Event ID 4688 with similar parent/child relationship if command line auditing enabled.

  2. Test 2Office Application Spawning PowerShell via Macro Simulation

    Expected signal: Sysmon Event ID 1: Process Create chain showing cmd.exe spawning powershell.exe. The detection focuses on the child process spawning pattern. PowerShell ScriptBlock Log Event ID 4104 will record the Write-Output command.

  3. Test 3Browser Renderer Process Spawning Cmd

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with subsequent net.exe and whoami.exe child processes. This represents the reconnaissance commands commonly executed immediately following successful browser exploitation.

  4. Test 4Mshta Spawned from Office Context (CVE-2021-40444 Pattern)

    Expected signal: Sysmon Event ID 1: Process Create for mshta.exe. In real exploitation this process would have a parent of winword.exe or excel.exe. Security Event ID 4688 will also record the mshta.exe launch with command line arguments.

Last updated: 2026-04-20 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1203 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1189Drive-by CompromiseT1566.001Spearphishing AttachmentT1566.002Spearphishing LinkT1204.002Malicious FileT1059.001PowerShellT1059.003Windows Command ShellT1105Ingress Tool TransferT1055Process InjectionT1027Obfuscated Files or InformationT1140Deobfuscate/Decode Files or Information

Same Tactic: Execution

Popular Detections