T1218: System Binary Proxy Execution
| View on MITRE ATT&CK | T1218 |
|---|---|
| Tactic(s) | Defense Evasion |
Data from MITRE ATT&CK®:
Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.
Similarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
Report
PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
Following an initial advisory issued in May 2023, this advisory from CISA, NSA and partners outlines information on the broader campaign of cyber ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Execution Prevention
Block execution of code on a system through application control, and/or script blocking.Disable or Remove Feature or Program
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.Exploit Protection
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.How to detect this technique
MITRE ATT&CK Data Components
Network Connection Creation (Network Traffic)
Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)Module Load (Module)
Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)Windows Registry Key Modification (Windows Registry)
Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)File Creation (File)
Initial construction of a new file (ex: Sysmon EID 11)OS API Execution (Process)
Operating system function/method calls executed by a processControl Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
ProtocolHandler.exe Downloaded a Suspicious File
Load Arbitrary DLL via Wuauclt (Windows Update Client)
InfDefaultInstall.exe .inf Execution
Lolbin Gpscript startup option
Lolbin Gpscript logon option
LOLBAS CustomShellHost to Spawn Process
Microsoft.Workflow.Compiler.exe Payload Execution
Renamed Microsoft.Workflow.Compiler.exe Payload Executions
mavinject - Inject DLL into running process
Invoke-ATHRemoteFXvGPUDisablementCommand base test
LOLBAS Msedge to Spawn Process
DiskShadow Command Execution
Register-CimProvider - Execute evil dll
Provlaunch.exe Executes Arbitrary Command via Registry Key
Lolbas ie4uinit.exe use as proxy
Sigma Detections for this Technique
Suspicious DLL Loaded via CertOC.EXE
Suspicious Csi.exe Usage
Arbitrary MSI Download Via Devinit.EXE
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock
Suspicious ZipExec Execution
Process Memory Dump Via Dotnet-Dump
Potentially Over Permissive Permissions Granted Using Dsacls.EXE
Arbitrary File Download Via IMEWDBLD.EXE
Uncommon Child Process Of AddinUtil.EXE
Potential Password Spraying Attempt Using Dsacls.EXE
Suspicious DotNET CLR Usage Log Artifact
Potential Binary Impersonating Sysinternals Tools
Atbroker Registry Change
Suspicious Child Process Of BgInfo.EXE
Malicious Windows Script Components File Execution by TAEF Detection
Potential Suspicious Mofcomp Execution
Application Whitelisting Bypass via Dxcap.exe
Self Extraction Directive File Created In Potentially Suspicious Location
Uncommon Assistive Technology Applications Execution Via AtBroker.EXE
Potential RemoteFXvGPUDisablement.EXE Abuse
SyncAppvPublishingServer Execution to Bypass Powershell Restriction
Legitimate Application Dropped Executable
DLL Loaded via CertOC.EXE
Microsoft Sync Center Suspicious Network Connections
SyncAppvPublishingServer Execute Arbitrary PowerShell Code
Process Proxy Execution Via Squirrel.EXE
Potentially Suspicious Child Process Of DiskShadow.EXE
Potential File Download Via MS-AppInstaller Protocol Handler
Windows Shell/Scripting Processes Spawning Suspicious Programs
Arbitrary File Download Via PresentationHost.EXE
Network Connection Initiated By AddinUtil.EXE
Curl Download And Execute Combination
Import LDAP Data Interchange Format File Via Ldifde.EXE
WinDbg/CDB LOLBIN Usage
Visual Studio NodejsTools PressAnyKey Renamed Execution
RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
Renamed ZOHO Dctask64 Execution
Potential DLL Sideloading Using Coregen.exe
Arbitrary File Download Via Squirrel.EXE
Suspicious Extexport Execution
Arbitrary Command Execution Using WSL
OpenWith.exe Executes Specified Binary
Wlrmdr.EXE Uncommon Argument Or Child Process
Legitimate Application Dropped Script
Potentially Suspicious Cabinet File Expansion
Diskshadow Script Mode - Execution From Potential Suspicious Location
Potential Provlaunch.EXE Binary Proxy Execution Abuse
Potential Binary Proxy Execution Via VSDiagnostics.EXE
Execution via stordiag.exe
Use of Scriptrunner.exe
Suspicious AgentExecutor PowerShell Execution
Application Whitelisting Bypass via Dnx.exe
Execute Pcwrun.EXE To Leverage Follina
Lolbin Unregmp2.exe Use As Proxy
Execution via WorkFolders.exe
Suspicious Provlaunch.EXE Child Process
Suspicious MSDT Parent Process
Potential NTLM Coercion Via Certutil.EXE
DeviceCredentialDeployment Execution
Insensitive Subfolder Search Via Findstr.EXE
Arbitrary File Download Via MSEDGE_PROXY.EXE
REGISTER_APP.VBS Proxy Execution
Arbitrary File Download Via MSPUB.EXE
Lolbin Runexehelper Use As Proxy
Verclsid.exe Runs COM Object
Time Travel Debugging Utility Usage
Suspicious Vsls-Agent Command With AgentExtensionPath Load
Execute MSDT Via Answer File
Suspicious Cmdl32 Execution
Legitimate Application Dropped Archive
File Download Via Windows Defender MpCmpRun.EXE
Remote File Download Via Findstr.EXE
Gpscript Execution
Execute Files with Msdeploy.exe
WSL Child Process Anomaly
Sideloading Link.EXE
Uncommon AddinUtil.EXE CommandLine Execution
Custom Class Execution via Xwizard
Microsoft Workflow Compiler Execution
Suspicious HH.EXE Execution
Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN
Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
Potentially Suspicious Wuauclt Network Connection
Potential Register_App.Vbs LOLScript Abuse
SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
Potentially Suspicious CMD Shell Output Redirect
Proxy Execution Via Explorer.exe
File Download Using ProtocolHandler.exe
DLL Execution via Rasautou.exe
Ie4uinit Lolbin Use From Invalid Path
Dllhost.EXE Initiated Network Connection To Non-Local IP Address
MpiExec Lolbin
Binary Proxy Execution Via Dotnet-Trace.EXE
Devtoolslauncher.exe Executes Specified Binary
Potentially Suspicious Child Process Of VsCode
Created Files by Microsoft Sync Center
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module
Use Of The SFTP.EXE Binary As A LOLBIN
Arbitrary File Download Via MSOHTMED.EXE
Time Travel Debugging Utility Usage - Image
HTML Help HH.EXE Suspicious Child Process
Uncommon Child Process Of Appvlp.EXE
MSI Installation From Web
Uncommon Child Process Of BgInfo.EXE
Use of VisualUiaVerifyNative.exe
Diskshadow Script Mode - Uncommon Script Extension Execution
Potentially Suspicious Self Extraction Directive File Created
Sdiagnhost Calling Suspicious Child Process
Potential Provisioning Registry Key Abuse For Binary Proxy Execution
Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution
Lolbin Defaultpack.exe Use As Proxy
Proxy Execution Via Wuauclt.EXE
AddinUtil.EXE Execution From Uncommon Directory
XBAP Execution From Uncommon Locations Via PresentationHost.EXE
SyncAppvPublishingServer Bypass Powershell Restriction - PS Module
Execution DLL of Choice Using WAB.EXE
Malicious PE Execution by Microsoft Visual Studio Debugger
AgentExecutor PowerShell Execution
InfDefaultInstall.exe .inf Execution
Use of Setres.exe
Renamed MegaSync Execution
Indirect Command Execution By Program Compatibility Wizard
Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution
Suspicious AddinUtil.EXE CommandLine Execution
File Download Via InstallUtil.EXE
Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG
Abusing Print Executable
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.