Home
ATT&CK Techniques
T1216 Signed Script Proxy Execution

T1216 Signed Script Proxy Execution Mappings

Adversaries may use scripts signed with trusted certificates to proxy execution of malicious files. Several Microsoft signed scripts that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.(Citation: GitHub Ultimate AppLocker Bypass List)

View in MITRE ATT&CK®

Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
CM-2	Baseline Configuration	Protects	T1216	Signed Script Proxy Execution
CM-6	Configuration Settings	Protects	T1216	Signed Script Proxy Execution
CM-7	Least Functionality	Protects	T1216	Signed Script Proxy Execution
SI-10	Information Input Validation	Protects	T1216	Signed Script Proxy Execution
SI-4	System Monitoring	Protects	T1216	Signed Script Proxy Execution
SI-7	Software, Firmware, and Information Integrity	Protects	T1216	Signed Script Proxy Execution
action.hacking.variety.Abuse of functionality	Abuse of functionality	related-to	T1216	Signed Script Proxy Execution

ATT&CK Subtechniques

Technique ID	Technique Name	Number of Mappings
T1216.001	PubPrn	7