Detect Exploitation for Client Execution in Sumo Logic CSE
Adversaries may exploit software vulnerabilities in client applications to execute code. This includes browser-based exploitation via drive-by compromise or spearphishing links, Office application exploitation through malicious attachments (CVE-2017-11882, CVE-2017-0262, CVE-2021-40444), and third-party application exploitation (Adobe Reader, Flash). These exploits cause vulnerable client software to execute attacker-controlled code, often spawning unexpected child processes or injecting shellcode into memory.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1203 Exploitation for Client Execution
- Canonical reference
- https://attack.mitre.org/techniques/T1203/
Sumo Detection Query
(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*)
| where EventID = "1"
| parse regex field=ParentImage "(?i).*\\\\(?P<ParentImageName>[^\\\\]+)$" nodrop
| parse regex field=Image "(?i).*\\\\(?P<ChildImageName>[^\\\\]+)$" nodrop
| toLowerCase(ParentImageName) as ParentImageLower
| toLowerCase(ChildImageName) as ChildImageLower
| where ParentImageLower in ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "mspub.exe", "visio.exe", "onenote.exe", "msaccess.exe", "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "opera.exe", "brave.exe", "acrord32.exe", "acrobat.exe", "foxitpdfeditor.exe", "sumatrapdf.exe")
| where ChildImageLower in ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "msbuild.exe", "installutil.exe", "regasm.exe", "regsvcs.exe", "schtasks.exe", "at.exe", "wmic.exe", "msiexec.exe")
| if(ParentImageLower in ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "mspub.exe", "visio.exe", "onenote.exe", "msaccess.exe"), "Office Application", if(ParentImageLower in ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "opera.exe", "brave.exe"), "Browser", if(ParentImageLower in ("acrord32.exe", "acrobat.exe", "foxitpdfeditor.exe", "sumatrapdf.exe"), "PDF Reader", "Other"))) as ExploitVector
| if(ChildImageLower in ("powershell.exe", "pwsh.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "wscript.exe", "cscript.exe"), "true", "false") as HighRisk
| fields _messageTime, Computer, User, ExploitVector, ParentImageName, ParentCommandLine, ChildImageName, CommandLine, HighRisk
| sort by _messageTime descSumo Logic search detecting T1203 client exploitation via Sysmon Event ID 1 (Process Create) logs. Extracts parent and child process base filenames from full image paths using regex named capture groups, then performs exact lowercase case-insensitive matching against Office, browser, and PDF reader application lists as parent processes and the LOLBin/script interpreter set as children. Classifies the exploit vector and flags high-risk child processes for analyst triage prioritization.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Office macro automation used by business operations teams that invoke PowerShell or cmd.exe for data pipeline tasks, SharePoint integration, or ERP system interactions
- Enterprise browser native messaging host configurations that spawn msiexec.exe or rundll32.exe for managed software deployment, smart card reader middleware, or DLP agent bridging
- Interactive Acrobat or Foxit PDF forms in compliance or legal workflows that call wscript.exe or certutil.exe for document-level scripting and certificate authority verification
Other platforms for T1203
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Office Exploitation — Equation Editor Child Process
Expected signal: Sysmon Event ID 1: Process Create with ParentImage containing eqnedt32.exe and Image=cmd.exe. Security Event ID 4688 with similar parent/child relationship if command line auditing enabled.
- Test 2Office Application Spawning PowerShell via Macro Simulation
Expected signal: Sysmon Event ID 1: Process Create chain showing cmd.exe spawning powershell.exe. The detection focuses on the child process spawning pattern. PowerShell ScriptBlock Log Event ID 4104 will record the Write-Output command.
- Test 3Browser Renderer Process Spawning Cmd
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with subsequent net.exe and whoami.exe child processes. This represents the reconnaissance commands commonly executed immediately following successful browser exploitation.
- Test 4Mshta Spawned from Office Context (CVE-2021-40444 Pattern)
Expected signal: Sysmon Event ID 1: Process Create for mshta.exe. In real exploitation this process would have a parent of winword.exe or excel.exe. Security Event ID 4688 will also record the mshta.exe launch with command line arguments.
References (8)
- https://attack.mitre.org/techniques/T1203/
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-11882
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1203/T1203.md
- https://www.mandiant.com/resources/blog/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://www.sentinelone.com/blog/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/
Unlock Pro Content
Get the full detection package for T1203 including response playbook, investigation guide, and atomic red team tests.