- Tactics
- stealth
- Platforms
- Linux, macOS, Windows
- Reference
- attack.mitre.org/techniques/T1218
Description
Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.
Similarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split)
Sub-techniques
- T1218.001 — Compiled HTML File
- T1218.002 — Control Panel
- T1218.003 — CMSTP
- T1218.004 — InstallUtil
- T1218.005 — Mshta
- T1218.007 — Msiexec
- T1218.008 — Odbcconf
- T1218.009 — Regsvcs/Regasm
- T1218.010 — Regsvr32
- T1218.011 — Rundll32
- T1218.012 — Verclsid
- T1218.013 — Mavinject
- T1218.014 — MMC
- T1218.015 — Electron Applications
How GTK Cyber trains on this
GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the stealth tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.
Related techniques
- T1006 — Direct Volume Access
- T1014 — Rootkit
- T1027 — Obfuscated Files or Information
- T1036 — Masquerading
- T1055 — Process Injection
- T1070 — Indicator Removal
- T1078 — Valid Accounts
- T1127 — Trusted Developer Utilities Proxy Execution
- T1134 — Access Token Manipulation
- T1140 — Deobfuscate/Decode Files or Information
- T1197 — BITS Jobs
- T1202 — Indirect Command Execution