T1218 System Binary Proxy Execution Mappings

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.

Similarly, on Linux systems adversaries may abuse trusted binaries such as <code>split</code> to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1218 Signed Binary Proxy Execution
AC-3 Access Enforcement Protects T1218 Signed Binary Proxy Execution
AC-5 Separation of Duties Protects T1218 Signed Binary Proxy Execution
AC-6 Least Privilege Protects T1218 Signed Binary Proxy Execution
CA-7 Continuous Monitoring Protects T1218 Signed Binary Proxy Execution
CM-11 User-installed Software Protects T1218 Signed Binary Proxy Execution
CM-2 Baseline Configuration Protects T1218 Signed Binary Proxy Execution
CM-5 Access Restrictions for Change Protects T1218 Signed Binary Proxy Execution
CM-6 Configuration Settings Protects T1218 Signed Binary Proxy Execution
CM-7 Least Functionality Protects T1218 Signed Binary Proxy Execution
CM-8 System Component Inventory Protects T1218 Signed Binary Proxy Execution
IA-2 Identification and Authentication (organizational Users) Protects T1218 Signed Binary Proxy Execution
RA-5 Vulnerability Monitoring and Scanning Protects T1218 Signed Binary Proxy Execution
SI-10 Information Input Validation Protects T1218 Signed Binary Proxy Execution
SI-16 Memory Protection Protects T1218 Signed Binary Proxy Execution
SI-3 Malicious Code Protection Protects T1218 Signed Binary Proxy Execution
SI-4 System Monitoring Protects T1218 Signed Binary Proxy Execution
SI-7 Software, Firmware, and Information Integrity Protects T1218 Signed Binary Proxy Execution
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218 Signed Binary Proxy Execution

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1218.011 Rundll32 5
T1218.013 Mavinject 12
T1218.004 InstallUtil 12
T1218.007 Msiexec 10
T1218.003 CMSTP 12
T1218.002 Control Panel 12
T1218.008 Odbcconf 12
T1218.012 Verclsid 17
T1218.005 Mshta 12
T1218.001 Compiled HTML File 11
T1218.010 Regsvr32 5
T1218.009 Regsvcs/Regasm 12
T1218.014 MMC 12