T1218

Windows Linux macOS
System Binary Proxy Execution

Description

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.

Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.

Similarly, on Linux systems adversaries may abuse trusted binaries such as <code>split</code> to proxy execution of malicious commands.

Sub-techniques

T1218.001 — Compiled HTML File T1218.002 — Control Panel T1218.003 — CMSTP T1218.004 — InstallUtil T1218.005 — Mshta T1218.007 — Msiexec T1218.008 — Odbcconf T1218.009 — Regsvcs/Regasm T1218.010 — Regsvr32 T1218.011 — Rundll32 T1218.012 — Verclsid T1218.013 — Mavinject T1218.014 — MMC T1218.015 — Electron Applications