Signed Binary Proxy Execution

From enterprise
Jump to: navigation, search
Signed Binary Proxy Execution
Technique
ID T1218
Tactic Defense Evasion, Execution
Platform Windows
Permissions Required User
Data Sources Process monitoring, Process command-line parameters
Supports Remote No
Defense Bypassed Application whitelisting, Digital Certificate Validation
Contributors Praetorian

Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting and signature validation on systems. This technique accounts for proxy execution methods that are not already accounted for within the existing techniques.

Mavinject.exe

Mavinject.exe is a Windows utility that allows for code execution. Mavinject can be used to input a DLL into a running process.1

"C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe" <PID> /INJECTRUNNING <PATH DLL> C:\Windows\system32\mavinject.exe <PID> /INJECTRUNNING <PATH DLL>

SyncAppvPublishingServer.exe

SyncAppvPublishingServer.exe can be used to run powershell scripts without executing powershell.exe.2

Several others binaries exist that may be used to perform similar behavior.3

Mitigation

Certain signed binaries that can be used to execute other programs may not be necessary within a given environment. Use application whitelisting configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries.

Detection

Monitor processes and command-line parameters for signed binaries that may be used to proxy execution of malicious files. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.