Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system. [1] Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands. Similarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands. [2][3]
Adversaries may abuse application binaries installed on a system for proxy execution of malicious code or domain-specific commands. These commands could be used to target local resources on the device or networked devices within the environment through defined APIs (Execution through API) or application-specific programming languages (e.g., MicroSCADA SCIL). Application binaries may be signed by the developer or generally trusted by the operators, analysts, and monitoring tools accustomed to the environment. These applications may be developed and/or directly provided by the device vendor to enable configuration, management, and operation of their devices without many alternatives.
Adversaries may seek to target these trusted application binaries to execute or send commands without the development of custom malware. For example, adversaries may target a SCADA server binary which has the existing ability to send commands to substation devices, such as through IEC 104 command messages. Proxy execution may still require the development of custom tools to hook into the application binary’s execution.
| ID | Name | Description |
|---|---|---|
| C0034 | 2022 Ukraine Electric Power Attack |
During the 2022 Ukraine Electric Power Attack, Sandworm Team executed a MicroSCADA application binary |
| ID | Asset |
|---|---|
| A0008 | Application Server |
| A0007 | Control Server |
| A0006 | Data Historian |
| A0002 | Human-Machine Interface (HMI) |
| A0012 | Jump Host |
| A0001 | Workstation |
| ID | Mitigation | Description |
|---|---|---|
| M0938 | Execution Prevention |
Disallow the execution of applications/programs which are not required for normal system functions, including any specific command-line arguments which may allow the execution of proxy commands or application binaries. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0017 | Command | Command Execution |
Monitor executed commands and associated arguments for application programs which support executing custom code, scripts, commands, or executables. |
| DS0009 | Process | Process Creation |
Monitor for unusual processes execution, especially for processes that allow the proxy execution of malicious files. |
| DS0012 | Script | Script Execution |
Monitor for any suspicious attempts to enable script execution on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. |