Skip to content

DET0287 Exploitation for Client Execution – cross-platform behavior chain (browser/Office/3rd-party apps)

Item Value
ID DET0287
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1203 (Exploitation for Client Execution)

Analytics

Windows

AN0797

Cause→effect chain: (1) A client app (browser, Office, PDF/Flash/reader) experiences a crash/abnormal exit or loads from an unusual location, then (2) drops or modifies a file in user-writable paths, and/or (3) spawns an unexpected child (e.g., powershell/cmd/mshta/rundll32/wscript/installer), and (4) establishes outbound C2-like connections shortly after. Correlate application logs, file writes, process lineage, and network egress within a short window.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) WinEventLog:Application EventCode=1000
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Mutable Elements
Field Description
TimeWindow Correlation window (e.g., 15m) between crash/write/child/network.
HighRiskChildren List of child processes that should rarely spawn from Office/browsers (powershell.exe, cmd.exe, wscript.exe, mshta.exe, rundll32.exe, regsvr32.exe, msiexec.exe, curl.exe).
UserPaths Writable paths to watch (Downloads, %TEMP%, %APPDATA%, OneDrive, Office startup folders).
AllowedPlugins Known add-ins/extensions and updater binaries to reduce noise.
EgressAllowlist Known update/CDN domains and proxy egress CIDRs for suppression.

Linux

AN0798

Cause→effect chain: (1) Browser/Office/reader process logs crash/segfault or abnormal sandbox message, (2) new executable/script/write occurs in $HOME (Downloads, ~/.cache, /tmp), (3) unexpected child like curl/wget/bash/python opens network connections soon after.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) linux:syslog browser/office crash, segfault, abnormal termination
File Access (DC0055) auditd:SYSCALL open
File Creation (DC0039) auditd:SYSCALL creat
File Modification (DC0061) auditd:SYSCALL rename,chmod
Process Creation (DC0032) auditd:SYSCALL execve
Network Traffic Flow (DC0078) NetFlow:Flow new outbound connections from exploited process tree
Mutable Elements
Field Description
TimeWindow 5–20m correlation window.
UserPaths HOME write targets: ~/Downloads, ~/.config/autostart, ~/.local/share, /tmp.
HighRiskChildren bash, sh, python, perl, node, curl, wget, socat, openssl, xxd.
PackageUpdaters Allow-list common updaters (snap, flatpak, packagekit) to reduce FP.

macOS

AN0799

Cause→effect chain: (1) App crash/abnormal termination in unified logs for Safari/Chrome/Office/Preview, (2) new files/scripts in ~/Library, ~/Downloads, /private/var/folders/*, (3) unexpected child (osascript, zsh, bash, curl) spawned by those apps, (4) new outbound connections.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) macos:unifiedlog process crash, abort, code signing violations
File Modification (DC0061) fs:fsevents create/write/rename under user-writable paths
Process Creation (DC0032) macos:osquery exec
Network Traffic Flow (DC0078) NSM:Connections new connections from exploited lineage
Mutable Elements
Field Description
TimeWindow 10–30m correlation window.
HighRiskChildren osascript, bash, zsh, curl, python, pbpaste/pbcopy, open -a Terminal.
UserPaths ~/Library/LaunchAgents, ~/Library/Containers//Data, /private/var/folders/.
QuarantineBypass Flag files with missing com.apple.quarantine extended attribute when sourced from internet.