Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

Signed Binary Proxy Execution

Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting and signature validation on systems. This technique accounts for proxy execution methods that are not already accounted for within the existing techniques.

Mavinject.exe

Mavinject.exe is a Windows utility that allows for code execution. Mavinject can be used to input a DLL into a running process. [1]

"C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe" /INJECTRUNNING C:\Windows\system32\mavinject.exe /INJECTRUNNING

SyncAppvPublishingServer.exe

SyncAppvPublishingServer.exe can be used to run powershell scripts without executing powershell.exe. [2]

Several others binaries exist that may be used to perform similar behavior. [3]

ID: T1218

Tactic: Defense Evasion, Execution

Platform:  Windows

Permissions Required:  User

Data Sources:  Process monitoring, Process command-line parameters

Supports Remote:  No

Defense Bypassed:  Application whitelisting, Digital Certificate Validation

Contributors:  Praetorian

Version: 1.0

Mitigation

Certain signed binaries that can be used to execute other programs may not be necessary within a given environment. Use application whitelisting configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries.

Detection

Monitor processes and command-line parameters for signed binaries that may be used to proxy execution of malicious files. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.

References