Exploitation for Client Execution `T1203`

Tactic: Execution

Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.

Events covered

15 catalog events are tagged with this technique by at least one rule.

Provider	Event	Title
Sysmon	Event ID 1	Process creation
Sysmon	Event ID 3	Network connection
Sysmon	Event ID 7	Image loaded
Sysmon	Event ID 11	FileCreate
Sysmon	Event ID 13	RegistryEvent (Value Set)
Sysmon	Event ID 22	DNSEvent (DNS query)
Security-Auditing	Event ID 4663	An attempt was made to access an object.
Security-Auditing	Event ID 4688	A new process has been created.
Security-Auditing	Event ID 5156	The Windows Filtering Platform has permitted a connection.
Defender-DeviceFileEvents	FileCreated	File created
Defender-DeviceNetworkEvents	any	Network activity (any)
Defender-DeviceProcessEvents	any	Process activity (any)
ESF	exec	Process Execution (Notify)
Audit-CVE	Event ID 1	Possible detection of CVE: PossibleDetectionOfCVE.
Sysmon-for-Linux	Event ID 1	Process Create

Authoring guide

Patterns shared across the 106 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (108 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Field	Rules	How	Sample values
`EventType`	22	`eq` 14, `in` 6, `contains` 1, `starts_with` 1	`exec`, `ProcessRollup2`, `IntrusionEvent`, `exec_event`, `ConnectionEvent`
`Image`	21	`ends_with` 19, `contains` 2, `is_not_null` 1	`\cmd.exe`, `\cscript.exe`, `\mshta.exe`, `/bash`, `\dfsvc.exe`
`event.type`	21	`eq` 19, `ne` 3, `in` 1	`start`, `deletion`, `creation`, `process_started`
`parent_process_name`	21	`eq` 13, `match` 4, `in` 3, `wildcard` 1	`foomatic-rip`, `(?i)EQNEDT32.EXE`, `cupsd`, `excel.exe`, `outlook.exe`
`process_name`	20	`eq` 14, `in` 5, `wildcard` 4	`bash`, `dash`, `csh`, `curl`, `arp.exe`
`CommandLine`	17	`contains` 12, `eq` 2, `match` 2, `regex_match` 2, `wildcard` 2, `ends_with` 1, `is_not_null` 1, `is_null` 1	`-e` , `&& echo`, `(?i).mmc\.exe.((Windows\s+\\\\System32)\|(Windows\s+Syst...`, `/dev/shm/`, `/dev/tcp`
`ParentImage`	16	`ends_with` 14, `contains` 1, `eq` 1	`\winrar.exe`, `\winword.exe`, `/node`, `/rsync`, `/rsyncd`
`host.os.type`	13	`eq` 10, `in` 3
`sourcetype`	8	`eq` 8	`cisco:sfw:estreamer`, `stream:dns`, `stream:tcp`
`Action`	7	`eq` 7, `contains` 2	`Blocked`, `Matched`, `*`, `dvcaction`, `vulnerabilityAlert`
`EventID`	6	`eq` 6	`7`, `4688`, `1`, `22`
`TargetFilename`	5	`contains` 2, `wildcard` 2, `ends_with` 1	`.cfg`, `.log`, `.txt`, `//sap.com//servlet_jsp/irj/root/`, `//sap.com//servlet_jsp/irj/work/`
`Total_TransactionId`	5	`ge` 5	`3`, `1`
`Category`	4	`eq` 4	`FrontDoorWebApplicationFirewallLog`, `ApplicationGatewayFirewallLog`
`ImageLoaded`	4	`ends_with` 2, `starts_with` 1, `wildcard` 1	`?:\users\\appdata\local\temp\wps\inetcache\`, `\\`, `\\\\`, `\\sdiageng.dll`, `\device\mup\*`

Top indicator values (972 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

Field	Kind	Value	Rules (here)	Corpus reach
`event.type`	`eq`	`start` elasticCupsd or Foomatic-rip Shell Execution elasticExecution of File Written or Modified by Microsoft Office elasticFile Creation by Cups or Foomatic-rip Child elasticNetwork Connection by Cups or Foomatic-rip Child elasticPotential CVE-2025-33053 Exploitation elasticPotential Foxmail Exploitation elasticPotential Git CVE-2025-48384 Exploitation elasticPotential JAVA/JNDI Exploitation Attempt elasticPotential Notepad Markdown RCE Exploitation elasticPotential SAP NetWeaver Exploitation elasticPotential Shell via Wildcard Injection Detected elasticPrinter User (lp) Shell Execution elasticSuspicious Communication App Child Process elasticSuspicious Execution from Foomatic-rip or Cupsd Parent elasticSuspicious MS Office Child Process elasticSuspicious Outlook Child Process elasticSuspicious PDF Reader Child Process elasticSuspicious Zoom Child Process	18	606
`sourcetype`	`eq`	`cisco:sfw:estreamer` splunkCisco Secure Firewall - Binary File Type Download splunkCisco Secure Firewall - Blocked Connection splunkCisco Secure Firewall - Citrix NetScaler Memory Overread Attempt splunkCisco Secure Firewall - High Priority Intrusion Classification splunkCisco Secure Firewall - Malware File Downloaded splunkCisco Secure Firewall - Possibly Compromised Host splunkCisco Secure Firewall - Repeated Blocked Connections	7	32
`EventType`	`in`	`exec` elasticCupsd or Foomatic-rip Shell Execution elasticFile Creation by Cups or Foomatic-rip Child elasticPotential Git CVE-2025-48384 Exploitation elasticPotential Shell via Wildcard Injection Detected elasticPrinter User (lp) Shell Execution elasticSuspicious Execution from Foomatic-rip or Cupsd Parent	6	171
`EventType`	`in`	`ProcessRollup2` elasticCupsd or Foomatic-rip Shell Execution elasticPotential Git CVE-2025-48384 Exploitation elasticPotential Shell via Wildcard Injection Detected elasticPrinter User (lp) Shell Execution elasticSuspicious Execution from Foomatic-rip or Cupsd Parent	5	117
`EventType`	`in`	`start` elasticCupsd or Foomatic-rip Shell Execution elasticFile Creation by Cups or Foomatic-rip Child elasticPotential Git CVE-2025-48384 Exploitation elasticPotential Shell via Wildcard Injection Detected elasticSuspicious Execution from Foomatic-rip or Cupsd Parent	5	134
`EventType`	`in`	`exec_event` elasticCupsd or Foomatic-rip Shell Execution elasticPrinter User (lp) Shell Execution elasticSuspicious Execution from Foomatic-rip or Cupsd Parent	3	139
`Image`	`ends_with`	`\cmd.exe` sigmaCVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process sigmaExploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process sigmaPotentially Suspicious Child Process of KeyScrambler.exe sigmaPotentially Suspicious Child Process Of WinRAR.EXE sigmaSuspicious ArcSOC.exe Child Process sigmaSuspicious Spool Service Child Process	6	130
`Image`	`ends_with`	`\powershell.exe` sigmaCVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process sigmaExploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process sigmaPotentially Suspicious Child Process of KeyScrambler.exe sigmaPotentially Suspicious Child Process Of WinRAR.EXE sigmaSuspicious ArcSOC.exe Child Process sigmaSuspicious Spool Service Child Process	6	182
`Image`	`ends_with`	`\pwsh.exe` sigmaCVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process sigmaExploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process sigmaPotentially Suspicious Child Process of KeyScrambler.exe sigmaPotentially Suspicious Child Process Of WinRAR.EXE sigmaSuspicious ArcSOC.exe Child Process sigmaSuspicious Spool Service Child Process	6	168
`Image`	`ends_with`	`\cscript.exe` sigmaCVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process sigmaPotentially Suspicious Child Process of KeyScrambler.exe sigmaPotentially Suspicious Child Process Of WinRAR.EXE sigmaSuspicious ArcSOC.exe Child Process	4	73
`Image`	`ends_with`	`\rundll32.exe` sigmaPotentially Suspicious Child Process of KeyScrambler.exe sigmaPotentially Suspicious Child Process Of WinRAR.EXE sigmaSuspicious ArcSOC.exe Child Process sigmaSuspicious Spool Service Child Process	4	95
`Image`	`ends_with`	`\wscript.exe` sigmaCVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process sigmaPotentially Suspicious Child Process of KeyScrambler.exe sigmaPotentially Suspicious Child Process Of WinRAR.EXE sigmaSuspicious ArcSOC.exe Child Process	4	75
`Image`	`ends_with`	`\mshta.exe` sigmaPotentially Suspicious Child Process of KeyScrambler.exe sigmaPotentially Suspicious Child Process Of WinRAR.EXE sigmaSuspicious ArcSOC.exe Child Process	3	67
`process_name`	`in`	`bash` elasticCupsd or Foomatic-rip Shell Execution elasticFile Creation by Cups or Foomatic-rip Child elasticNetwork Connection by Cups or Foomatic-rip Child elasticPotential Git CVE-2025-48384 Exploitation elasticPrinter User (lp) Shell Execution	5	88
`process_name`	`in`	`csh` elasticCupsd or Foomatic-rip Shell Execution elasticFile Creation by Cups or Foomatic-rip Child elasticNetwork Connection by Cups or Foomatic-rip Child elasticPotential Git CVE-2025-48384 Exploitation elasticPrinter User (lp) Shell Execution	5	71
`process_name`	`in`	`dash` elasticCupsd or Foomatic-rip Shell Execution elasticFile Creation by Cups or Foomatic-rip Child elasticNetwork Connection by Cups or Foomatic-rip Child elasticPotential Git CVE-2025-48384 Exploitation elasticPrinter User (lp) Shell Execution	5	78
`process_name`	`in`	`fish` elasticCupsd or Foomatic-rip Shell Execution elasticFile Creation by Cups or Foomatic-rip Child elasticNetwork Connection by Cups or Foomatic-rip Child elasticPotential Git CVE-2025-48384 Exploitation elasticPrinter User (lp) Shell Execution	5	72
`process_name`	`in`	`ksh` elasticCupsd or Foomatic-rip Shell Execution elasticFile Creation by Cups or Foomatic-rip Child elasticNetwork Connection by Cups or Foomatic-rip Child elasticPotential Git CVE-2025-48384 Exploitation elasticPrinter User (lp) Shell Execution	5	73
`process_name`	`in`	`sh` elasticCupsd or Foomatic-rip Shell Execution elasticFile Creation by Cups or Foomatic-rip Child elasticNetwork Connection by Cups or Foomatic-rip Child elasticPotential Git CVE-2025-48384 Exploitation elasticPrinter User (lp) Shell Execution	5	83
`process_name`	`in`	`tcsh` elasticCupsd or Foomatic-rip Shell Execution elasticFile Creation by Cups or Foomatic-rip Child elasticNetwork Connection by Cups or Foomatic-rip Child elasticPotential Git CVE-2025-48384 Exploitation elasticPrinter User (lp) Shell Execution	5	69
`process_name`	`in`	`zsh` elasticCupsd or Foomatic-rip Shell Execution elasticFile Creation by Cups or Foomatic-rip Child elasticNetwork Connection by Cups or Foomatic-rip Child elasticPotential Git CVE-2025-48384 Exploitation elasticPrinter User (lp) Shell Execution	5	82
`Action`	`eq`	`Blocked` kustoApp Gateway WAF - Scanner Detection kustoApp Gateway WAF - XSS Detection kustoApp GW WAF - Code Injection kustoApp GW WAF - Path Traversal Attack	4	6
`Action`	`eq`	`Matched` kustoApp Gateway WAF - Scanner Detection kustoApp Gateway WAF - XSS Detection kustoApp GW WAF - Code Injection kustoApp GW WAF - Path Traversal Attack	4	5
`Total_TransactionId`	`ge`	`3` kustoApp Gateway WAF - Scanner Detection kustoApp Gateway WAF - XSS Detection kustoApp GW WAF - Code Injection kustoApp GW WAF - Path Traversal Attack	4	6
`process_name`	`wildcard`	`curl` elasticPotential JAVA/JNDI Exploitation Attempt elasticPotential SAP NetWeaver Exploitation elasticSuspicious Browser Child Process elasticSuspicious macOS MS Office Child Process	4	16
`process_name`	`wildcard`	`perl*` elasticPotential JAVA/JNDI Exploitation Attempt elasticPotential SAP NetWeaver Exploitation elasticSuspicious Browser Child Process elasticSuspicious macOS MS Office Child Process	4	11
`process_name`	`wildcard`	`python*` elasticPotential JAVA/JNDI Exploitation Attempt elasticPotential SAP NetWeaver Exploitation elasticSuspicious Browser Child Process elasticSuspicious macOS MS Office Child Process	4	24
`Category`	`eq`	`FrontDoorWebApplicationFirewallLog` kustoAFD WAF - Code Injection kustoAFD WAF - Path Traversal Attack kustoFront Door Premium WAF - XSS Detection	3	4
`EventID`	`eq`	`7` splunkPotential Follina_DogWalk Activity - mdst.exe (Sysmon) splunkSunburst Correlation DLL and Network Event splunkWindows Remote Image Load	3	39
`EventType`	`eq`	`IntrusionEvent` splunkCisco Secure Firewall - Citrix NetScaler Memory Overread Attempt splunkCisco Secure Firewall - High Priority Intrusion Classification splunkCisco Secure Firewall - Possibly Compromised Host	3	18

Exclusions (297 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

Field	Kind	Value	Rules excluding
`process.code_signature.trusted`	`eq`	`true` elasticExecution of File Written or Modified by Microsoft Office elasticSuspicious Communication App Child Process elasticSuspicious Outlook Child Process	3
`CommandLine`	`wildcard`	`-sDEVICE=ps2write` elasticCupsd or Foomatic-rip Shell Execution elasticPrinter User (lp) Shell Execution	2
`CommandLine`	`wildcard`	`/tmp/foomatic-` elasticCupsd or Foomatic-rip Shell Execution elasticPrinter User (lp) Shell Execution	2
`CommandLine`	`wildcard`	`printf` elasticCupsd or Foomatic-rip Shell Execution elasticPrinter User (lp) Shell Execution	2
`CommandLine`	`wildcard`	`/bin/bash -c cat` elasticCupsd or Foomatic-rip Shell Execution elasticPrinter User (lp) Shell Execution	2
`CommandLine`	`wildcard`	`/bin/bash -e -c cat` elasticCupsd or Foomatic-rip Shell Execution elasticPrinter User (lp) Shell Execution	2
`CommandLine`	`wildcard`	`/bin/sh -e -c cat` elasticCupsd or Foomatic-rip Shell Execution elasticPrinter User (lp) Shell Execution	2
`DestinationPort`	`eq`	`443` sigmaDfsvc.EXE Initiated Network Connection Over Uncommon Port sigmaOffice Application Initiated Network Connection To Non-Local IP	2
`DestinationPort`	`eq`	`80` sigmaDfsvc.EXE Initiated Network Connection Over Uncommon Port sigmaOffice Application Initiated Network Connection To Non-Local IP	2
`Image`	`wildcard`	`?:\users\*\appdata\local\google\chrome\application\chrome.exe` elasticSuspicious Communication App Child Process elasticSuspicious Outlook Child Process	2
`Image`	`wildcard`	`?:\users\*\appdata\local\island\island\application\island.exe` elasticSuspicious Communication App Child Process elasticSuspicious Outlook Child Process	2
`Image`	`wildcard`	`?:\users\*\appdata\local\mozilla firefox\firefox.exe` elasticSuspicious Communication App Child Process elasticSuspicious Outlook Child Process	2
`Image`	`wildcard`	`?:\windows\system32\werfault.exe` elasticSuspicious Communication App Child Process elasticSuspicious Outlook Child Process	2
`Image`	`wildcard`	`?:\windows\syswow64\werfault.exe` elasticSuspicious Communication App Child Process elasticSuspicious Outlook Child Process	2
`dest_ip`	`cidr_match`	`10.0.0.0/8` sigmaDfsvc.EXE Network Connection To Non-Local IPs sigmaOffice Application Initiated Network Connection To Non-Local IP	2

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Exploitation for Client Execution `T1203`

Events covered

Authoring guide

Fields filtered most (108 distinct)

Top indicator values (972 distinct)

Exclusions (297 distinct)

Rules under this technique

Sigma 33 rules

Elastic 29 rules

Splunk 17 rules

Kusto 24 rules

Panther 3 rules

Keyboard shortcuts

Search operators

Exploitation for Client Execution T1203

Events covered

Authoring guide

Fields filtered most (108 distinct)

Top indicator values (972 distinct)

Exclusions (297 distinct)

Rules under this technique

Sigma 33 rules

Elastic 29 rules

Splunk 17 rules

Kusto 24 rules

Panther 3 rules

Exploitation for Client Execution `T1203`