Home
ATT&CK Techniques
T1218 System Binary Proxy Execution

T1218 System Binary Proxy Execution Mappings

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.

Similarly, on Linux systems adversaries may abuse trusted binaries such as <code>split</code> to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
CA-07	Continuous Monitoring	mitigates	T1218	System Binary Proxy Execution
CM-06	Configuration Settings	mitigates	T1218	System Binary Proxy Execution
CM-05	Access Restrictions for Change	mitigates	T1218	System Binary Proxy Execution
CM-11	User-installed Software	mitigates	T1218	System Binary Proxy Execution
SI-16	Memory Protection	mitigates	T1218	System Binary Proxy Execution
RA-05	Vulnerability Monitoring and Scanning	mitigates	T1218	System Binary Proxy Execution
CM-08	System Component Inventory	mitigates	T1218	System Binary Proxy Execution
SI-10	Information Input Validation	mitigates	T1218	System Binary Proxy Execution
SI-03	Malicious Code Protection	mitigates	T1218	System Binary Proxy Execution
SI-07	Software, Firmware, and Information Integrity	mitigates	T1218	System Binary Proxy Execution
CM-02	Baseline Configuration	mitigates	T1218	System Binary Proxy Execution
IA-02	Identification and Authentication (Organizational Users)	mitigates	T1218	System Binary Proxy Execution
CM-07	Least Functionality	mitigates	T1218	System Binary Proxy Execution
SI-04	System Monitoring	mitigates	T1218	System Binary Proxy Execution
AC-02	Account Management	mitigates	T1218	System Binary Proxy Execution
AC-06	Least Privilege	mitigates	T1218	System Binary Proxy Execution
AC-03	Access Enforcement	mitigates	T1218	System Binary Proxy Execution
AC-05	Separation of Duties	mitigates	T1218	System Binary Proxy Execution
AC-04	Information Flow Enforcement	mitigates	T1218	System Binary Proxy Execution
SC-07	Boundary Protection	mitigates	T1218	System Binary Proxy Execution

VERIS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
action.hacking.variety.Abuse of functionality	Abuse of functionality.	related-to	T1218	System Binary Proxy Execution
action.malware.variety.Destroy data	Destroy or corrupt stored data	related-to	T1218	System Binary Proxy Execution

GCP Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
google_secops	Google Security Operations	technique_scores	T1218	System Binary Proxy Execution	Comments Google Security Ops is able to trigger an alert based on attempts to evade defenses, such as: bypass execution of digitally signed binaries. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/mavinject_process_injection.yaral References ['https://cloud.google.com/security/products/security-operations' 'https://cloud.google.com/chronicle/docs/secops/secops-overview' 'https://github.com/chronicle/detection-rules']

ATT&CK Subtechniques

Technique ID	Technique Name	Number of Mappings
T1218.011	Rundll32	5
T1218.013	Mavinject	13
T1218.004	InstallUtil	12
T1218.007	Msiexec	10
T1218.003	CMSTP	13
T1218.002	Control Panel	12
T1218.015	Electron Applications	20
T1218.008	Odbcconf	12
T1218.012	Verclsid	17
T1218.005	Mshta	13
T1218.001	Compiled HTML File	11
T1218.010	Regsvr32	6
T1218.009	Regsvcs/Regasm	12
T1218.014	MMC	12