1. Home
  2. ATT&CK Techniques
  3. T1218 System Binary Proxy Execution

T1218 System Binary Proxy Execution Mappings

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.

Similarly, on Linux systems adversaries may abuse trusted binaries such as <code>split</code> to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split)

View in MITRE ATT&CK®

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218 System Binary Proxy Execution

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
google_secops Google Security Operations technique_scores T1218 System Binary Proxy Execution
Comments
Google Security Ops is able to trigger an alert based on attempts to evade defenses, such as: bypass execution of digitally signed binaries. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/mavinject_process_injection.yaral
References
  1. ['https://cloud.google.com/security/products/security-operations'
  2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
  3. 'https://github.com/chronicle/detection-rules']

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1218.011 Rundll32 1
T1218.013 Mavinject 1
T1218.004 InstallUtil 1
T1218.007 Msiexec 1
T1218.003 CMSTP 2
T1218.002 Control Panel 1
T1218.015 Electron Applications 2
T1218.008 Odbcconf 1
T1218.012 Verclsid 1
T1218.005 Mshta 2
T1218.001 Compiled HTML File 1
T1218.010 Regsvr32 2
T1218.009 Regsvcs/Regasm 1
T1218.014 MMC 1