Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.
Similarly, on Linux systems adversaries may abuse trusted binaries such as <code>split</code> to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1218 | System Binary Proxy Execution | |
| action.malware.variety.Destroy data | Destroy or corrupt stored data | related-to | T1218 | System Binary Proxy Execution |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1218 | System Binary Proxy Execution |
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1218 | System Binary Proxy Execution |
Comments
Google Security Ops is able to trigger an alert based on attempts to evade defenses, such as: bypass execution of digitally signed binaries.
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/mavinject_process_injection.yaral
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1218.011 | Rundll32 | 6 |
| T1218.013 | Mavinject | 14 |
| T1218.004 | InstallUtil | 12 |
| T1218.007 | Msiexec | 10 |
| T1218.003 | CMSTP | 13 |
| T1218.002 | Control Panel | 12 |
| T1218.015 | Electron Applications | 21 |
| T1218.008 | Odbcconf | 12 |
| T1218.012 | Verclsid | 17 |
| T1218.005 | Mshta | 14 |
| T1218.001 | Compiled HTML File | 11 |
| T1218.010 | Regsvr32 | 6 |
| T1218.009 | Regsvcs/Regasm | 12 |
| T1218.014 | MMC | 13 |