0

I was reading a recent report about an APT and jumped into this Technique: https://attack.mitre.org/techniques/T1203/

This technique is called:

Exploitation for Client Execution

And that might match with what a macro is. However, the description says the following:

Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.

I do not see how Macros are included on the "software vulnerabilities" bundle when they are clearly not.

OscarAkaElvis
  • 5,185
  • 3
  • 17
  • 48
borcho
  • 550
  • 2
  • 15
  • 1
    Typically macro functions becoming "arbitrary code" is what the vulnerability is. – user Apr 06 '21 at 18:50
  • I don't think you are wrong but, how does this relate to the description that Mitre provides? – borcho Apr 06 '21 at 19:09
  • Where is the connection between T1203 and macros? That's not stated anywhere. – schroeder Apr 06 '21 at 19:33
  • less than 1% of microsoft office users have ever actually used macros, yet they are enabled by default and continuously allow computers to get pwned in a few clicks... its a just another feature of Microsoft Office – john doe Apr 09 '21 at 20:09

0 Answers0