T1218 Signed Binary Proxy Execution Mappings

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries. Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1218 Signed Binary Proxy Execution
AC-3 Access Enforcement Protects T1218 Signed Binary Proxy Execution
AC-5 Separation of Duties Protects T1218 Signed Binary Proxy Execution
AC-6 Least Privilege Protects T1218 Signed Binary Proxy Execution
CA-7 Continuous Monitoring Protects T1218 Signed Binary Proxy Execution
CM-2 Baseline Configuration Protects T1218 Signed Binary Proxy Execution
CM-5 Access Restrictions for Change Protects T1218 Signed Binary Proxy Execution
CM-6 Configuration Settings Protects T1218 Signed Binary Proxy Execution
CM-7 Least Functionality Protects T1218 Signed Binary Proxy Execution
CM-8 System Component Inventory Protects T1218 Signed Binary Proxy Execution
IA-2 Identification and Authentication (organizational Users) Protects T1218 Signed Binary Proxy Execution
RA-5 Vulnerability Monitoring and Scanning Protects T1218 Signed Binary Proxy Execution
SI-10 Information Input Validation Protects T1218 Signed Binary Proxy Execution
SI-4 System Monitoring Protects T1218 Signed Binary Proxy Execution
SI-7 Software, Firmware, and Information Integrity Protects T1218 Signed Binary Proxy Execution
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1218 Signed Binary Proxy Execution

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1218.003 CMSTP 9
T1218.001 Compiled HTML File 8
T1218.002 Control Panel 10
T1218.004 InstallUtil 9
T1218.005 Mshta 9
T1218.007 Msiexec 10
T1218.008 Odbcconf 9
T1218.009 Regsvcs/Regasm 9
T1218.010 Regsvr32 5
T1218.011 Rundll32 5
T1218.012 Verclsid 14