Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.
Similarly, on Linux systems adversaries may abuse trusted binaries such as <code>split</code> to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
AC-02 | Account Management | Protects | T1218 | System Binary Proxy Execution | |
AC-06 | Least Privilege | Protects | T1218 | System Binary Proxy Execution | |
CA-07 | Continuous Monitoring | Protects | T1218 | System Binary Proxy Execution | |
CM-11 | User-installed Software | Protects | T1218 | System Binary Proxy Execution | |
CM-02 | Baseline Configuration | Protects | T1218 | System Binary Proxy Execution | |
CM-05 | Access Restrictions for Change | Protects | T1218 | System Binary Proxy Execution | |
CM-06 | Configuration Settings | Protects | T1218 | System Binary Proxy Execution | |
CM-07 | Least Functionality | Protects | T1218 | System Binary Proxy Execution | |
CM-08 | System Component Inventory | Protects | T1218 | System Binary Proxy Execution | |
IA-02 | Identification and Authentication (organizational Users) | Protects | T1218 | System Binary Proxy Execution |