Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.
Similarly, on Linux systems adversaries may abuse trusted binaries such as <code>split</code> to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1218 | System Binary Proxy Execution |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| PR.IR-01.02 | Network device configurations | Mitigates | T1218 | System Binary Proxy Execution |
Comments
This diagnostic statement provides protection through secure network device configurations (e.g., firewall rules, ports, and protocols) aligned to security baselines. Using network appliances to block or filter network traffic can help to mitigate this technique.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1218 | System Binary Proxy Execution |
Comments
This diagnostic statement protects against System Binary Proxy Execution through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1218 | System Binary Proxy Execution |
Comments
This diagnostic statement protects against System Binary Proxy Execution through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| DE.CM-01.05 | Website and service blocking | Mitigates | T1218 | System Binary Proxy Execution |
Comments
This diagnostic statement can help prevent execution of malicious content with signed files or trusted binaries through tools and measures restricting or blocking certain websites, blocking downloads/attachments, and restricting browser extensions.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1218 | System Binary Proxy Execution |
Comments
This diagnostic statement protects against System Binary Proxy Execution through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1218 | System Binary Proxy Execution |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1218 | System Binary Proxy Execution |
Comments
This diagnostic statement protects against System Binary Proxy Execution through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1218 | System Binary Proxy Execution | |
| action.malware.variety.Destroy data | Destroy or corrupt stored data | related-to | T1218 | System Binary Proxy Execution |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1218 | System Binary Proxy Execution |
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1218 | System Binary Proxy Execution |
Comments
Google Security Ops is able to trigger an alert based on attempts to evade defenses, such as: bypass execution of digitally signed binaries.
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/mavinject_process_injection.yaral
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1218.011 | Rundll32 | 7 |
| T1218.013 | Mavinject | 15 |
| T1218.004 | InstallUtil | 13 |
| T1218.007 | Msiexec | 12 |
| T1218.003 | CMSTP | 14 |
| T1218.002 | Control Panel | 13 |
| T1218.015 | Electron Applications | 23 |
| T1218.008 | Odbcconf | 13 |
| T1218.012 | Verclsid | 21 |
| T1218.005 | Mshta | 15 |
| T1218.001 | Compiled HTML File | 13 |
| T1218.010 | Regsvr32 | 7 |
| T1218.009 | Regsvcs/Regasm | 13 |
| T1218.014 | MMC | 14 |