title: Exploitation for Client Execution (T1203)
id: df00tech-t1203
status: experimental
description: "Adversaries may exploit software vulnerabilities in client applications to execute code. This includes browser-based exploitation via drive-by compromise or spearphishing links, Office application exploitation through malicious attachments (CVE-2017-11882, CVE-2017-0262, CVE-2021-40444), and third-party application exploitation (Adobe Reader, Flash). These exploits cause vulnerable client software to execute attacker-controlled code, often spawning unexpected child processes or injecting shellcode into memory."
references:
  - https://attack.mitre.org/techniques/T1203/
  - https://df00tech.com/detections/T1203
author: df00tech
date: 2026/04/20
tags:
  - attack.t1203
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Office macros legitimately launching PowerShell or cmd.exe for automation tasks (SCCM, IT scripts embedded in documents)"
  - Browser helper objects or extensions that spawn child processes for download handling or media playback
  - "PDF readers launching external viewers or handlers for embedded attachments (e.g., opening an Excel file embedded in a PDF)"
  - Equation Editor (eqnedt32.exe) being spawned during legitimate document rendering on older Office versions
  - Developer tools or IDE integrations within browsers that spawn terminal processes
level: critical