1. Home
  2. Techniques
  3. Enterprise
  4. System Binary Proxy Execution

System Binary Proxy Execution

ID Name
T1218.001 Compiled HTML File
T1218.002 Control Panel
T1218.003 CMSTP
T1218.004 InstallUtil
T1218.005 Mshta
T1218.007 Msiexec
T1218.008 Odbcconf
T1218.009 Regsvcs/Regasm
T1218.010 Regsvr32
T1218.011 Rundll32
T1218.012 Verclsid
T1218.013 Mavinject
T1218.014 MMC
T1218.015 Electron Applications

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.[1] Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.

Similarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands.[2][3]

ID: T1218
Sub-techniques:  T1218.001, T1218.002, T1218.003, T1218.004, T1218.005, T1218.007, T1218.008, T1218.009, T1218.010, T1218.011, T1218.012, T1218.013, T1218.014, T1218.015
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Contributors: Hans Christoffer Gaardløs; Nishan Maharjan, @loki248; Praetorian; Wes Hurd
Version: 3.2
Created: 18 April 2018
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G0032 Lazarus Group

Lazarus Group lnk files used for persistence have abused the Windows Update Client (wuauclt.exe) to execute a malicious DLL.[4][5]
G1017 Volt Typhoon

Volt Typhoon has used native tools and processes including living off the land binaries or "LOLBins" to maintain and expand access to the victim networks.[6]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Many native binaries may not be necessary within a given environment.
M1038 Execution Prevention

Consider using application control to prevent execution of binaries that are susceptible to abuse and not required for a given system or network.
M1050 Exploit Protection

Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using using trusted binaries to bypass application control.
M1037 Filter Network Traffic

Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.
M1026 Privileged Account Management

Restrict execution of particularly vulnerable binaries to privileged accounts or groups that need to use it to lessen the opportunities for malicious usage.
M1021 Restrict Web-Based Content

Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0081 Detection of Proxy Execution via Trusted Signed Binaries Across Platforms AN0226

Execution of trusted, Microsoft-signed binaries such as rundll32.exe, msiexec.exe, or regsvr32.exe used to execute externally hosted, unsigned, or suspicious payloads through command-line parameters or network retrieval.
AN0227

Execution of trusted system binaries (e.g., split, tee, bash, env) used in uncommon sequences or chained behaviors to execute malicious payloads or perform actions inconsistent with normal system or script behavior.
AN0228

Use of system binaries such as osascript, bash, or curl to download or execute unsigned code or files in conjunction with application proxying.

References

  1. Oddvar Moe et al. (2022, February). Living Off The Land Binaries, Scripts and Libraries. Retrieved March 7, 2022.
  2. Torbjorn Granlund, Richard M. Stallman. (2020, March null). split(1) — Linux manual page. Retrieved March 25, 2022.
  3. GTFOBins. (2020, November 13). split. Retrieved April 18, 2022.
  1. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  2. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
  3. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.