Exploitation for Client Execution

Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to insecure coding practices that can lead to unanticipated behavior. Adversaries may take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.

Adversaries may use device-based zero-click exploits for code execution. These exploits are powerful because there is no user interaction required for code execution.

SMS/iMessage Delivery

SMS and iMessage in iOS are common targets through Drive-By Compromise, Phishing, etc. Adversaries may use embed malicious links, files, etc. in SMS messages or iMessages. Mobile devices may be compromised through one-click exploits, where the victim must interact with a text message, or zero-click exploits, where no user interaction is required.


Unique to iOS, AirDrop is a network protocol that allows iOS users to transfer files between iOS devices. Before patches from Apple were released, on iOS 13.4 and earlier, adversaries may force the Apple Wireless Direct Link (AWDL) interface to activate, then exploit a buffer overflow to gain access to the device and run as root without interaction from the user.

ID: T1658
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Execution
Platforms: Android, iOS
Contributors: Giorgi Gurgenidze, ISAC
Version: 1.0
Created: 23 August 2023
Last Modified: 28 September 2023

Procedure Examples

ID Name Description
S0289 Pegasus for iOS

Pegasus for iOS can compromise iPhones running iOS 16.6 without any user interaction.


ID Mitigation Description
M1001 Security Updates

Security updates frequently contain patches to vulnerabilities.

M1011 User Guidance

Users should be wary of iMessages from unknown senders. Additionally, users should be instructed not to open unrecognized links or other attachments in text messages.


ID Data Source Data Component Detects
DS0041 Application Vetting Network Communication

Network traffic analysis may reveal processes communicating with malicious domains.