Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.
Similarly, on Linux systems adversaries may abuse trusted binaries such as <code>split</code> to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1218 | System Binary Proxy Execution |
Comments
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of System Binary Proxy Execution techniques. This integrated solution strengthens CrowdStrike Falcon, enabling the detection and mitigation of cyber threats earlier in the kill chain, while minimizing system performance impact.
System Binary Proxy Execution (T1218) involves adversaries executing malicious code through legitimate system binaries or processes to evade detection. Attackers often use system tools like rundll32.exe, wmic.exe, or regsvr32.exe as proxies to launch malicious payloads, leveraging trusted binaries to bypass security controls. Intel TDT provides deep visibility into program execution, memory access, and control flow, allowing security teams to detect abnormal behaviors, such as unusual interactions with trusted system binaries, that could indicate proxy execution or malicious activity.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CVE-2021-40539 | Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability | secondary_impact | T1218 | System Binary Proxy Execution |
Comments
This is an authentication bypass vulnerability that can enable remote code execution.
Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.
References
|
| CVE-2021-44077 | Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability | secondary_impact | T1218 | System Binary Proxy Execution |
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
|