ATT&CK coverage › Technique
System Binary Proxy Execution T1218
Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system. Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.
Events covered
14 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 136 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (27 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (930 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.
Common exclusions (24 distinct)
Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 132 rules
- Abusing Print Executable
- AddinUtil.EXE Execution From Uncommon Directory
- AgentExecutor PowerShell Execution
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Arbitrary File Download Via IMEWDBLD.EXE
- Arbitrary File Download Via MSEDGE_PROXY.EXE
- Arbitrary File Download Via MSOHTMED.EXE
- Arbitrary File Download Via MSPUB.EXE
- Arbitrary File Download Via PresentationHost.EXE
- Arbitrary File Download Via Squirrel.EXE
- Arbitrary MSI Download Via Devinit.EXE
- Atbroker Registry Change
- BaaUpdate.exe Suspicious DLL Load
- Binary Proxy Execution Via Dotnet-Trace.EXE
- BitLockerTogo.EXE Execution
- COM Object Execution via Xwizard.EXE
- Created Files by Microsoft Sync Center
- Curl Download And Execute Combination
- DeviceCredentialDeployment Execution
- Devtoolslauncher.exe Executes Specified Binary
- Diskshadow Script Mode - Execution From Potential Suspicious Location
- Diskshadow Script Mode - Uncommon Script Extension Execution
- DLL Execution via Rasautou.exe
- DLL Loaded via CertOC.EXE
- Execute Files with Msdeploy.exe
- Execute Pcwrun.EXE To Leverage Follina
- Execution DLL of Choice Using WAB.EXE
- Execution via stordiag.exe
- Execution via WorkFolders.exe
- File Download Using ProtocolHandler.exe
- File Download Via InstallUtil.EXE
- File Download Via Windows Defender MpCmpRun.EXE
- Gpscript Execution
- HTML Help HH.EXE Suspicious Child Process
- Ie4uinit Lolbin Use From Invalid Path
- Import LDAP Data Interchange Format File Via Ldifde.EXE
- Indirect Command Execution By Program Compatibility Wizard
- InfDefaultInstall.exe .inf Execution
- Insensitive Subfolder Search Via Findstr.EXE
- Legitimate Application Dropped Archive
- Legitimate Application Dropped Executable
- Legitimate Application Dropped Script
- Legitimate Application Writing Files In Uncommon Location
- Lolbin Runexehelper Use As Proxy
- Lolbin Unregmp2.exe Use As Proxy
- Malicious PE Execution by Microsoft Visual Studio Debugger
- Malicious Windows Script Components File Execution by TAEF Detection
- Microsoft Sync Center Suspicious Network Connections
- MpiExec Lolbin
- MSDT Execution Via Answer File
- MSI Installation From Web
- Network Connection Initiated By AddinUtil.EXE
- New Capture Session Launched Via DXCap.EXE
- OpenWith.exe Executes Specified Binary
- Potential Application Whitelisting Bypass via Dnx.EXE
- Potential Arbitrary File Download Via Cmdl32.EXE
- Potential Binary Impersonating Sysinternals Tools
- Potential Binary Proxy Execution Via Cdb.EXE
- Potential Binary Proxy Execution Via VSDiagnostics.EXE
- Potential DLL Sideloading Using Coregen.exe
- Potential File Download Via MS-AppInstaller Protocol Handler
- Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution
- Potential NTLM Coercion Via Certutil.EXE
- Potential Password Spraying Attempt Using Dsacls.EXE
- Potential Provisioning Registry Key Abuse For Binary Proxy Execution
- Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG
- Potential Provlaunch.EXE Binary Proxy Execution Abuse
- Potential Register_App.Vbs LOLScript Abuse
- Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module
- Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock
- Potential Suspicious Mofcomp Execution
- Potentially Over Permissive Permissions Granted Using Dsacls.EXE
- Potentially Suspicious Cabinet File Expansion
- Potentially Suspicious Child Process Of DiskShadow.EXE
- Potentially Suspicious Child Process Of VsCode
- Potentially Suspicious Child Processes Spawned by ConHost
- Potentially Suspicious CMD Shell Output Redirect
- Potentially Suspicious Self Extraction Directive File Created
- Potentially Suspicious Wuauclt Network Connection
- PowerShell MSI Install via WindowsInstaller COM From Remote Location
- Process Memory Dump Via Dotnet-Dump
- Process Proxy Execution Via Squirrel.EXE
- Program Executed Using Proxy/Local Command Via SSH.EXE
- Proxy Execution Via Wuauclt.EXE
- REGISTER_APP.VBS Proxy Execution
- Remote File Download Via Findstr.EXE
- RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
- Renamed MegaSync Execution
- Renamed ZOHO Dctask64 Execution
- Scheduled Task Creation with Curl and PowerShell Execution Combo
- Sdiagnhost Calling Suspicious Child Process
- Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
- Self Extraction Directive File Created In Potentially Suspicious Location
- Suspicious AddinUtil.EXE CommandLine Execution
- Suspicious AgentExecutor PowerShell Execution
- Suspicious BitLocker Access Agent Update Utility Execution
- Suspicious Child Process Of BgInfo.EXE
- Suspicious Csi.exe Usage
- Suspicious DLL Loaded via CertOC.EXE
- Suspicious DotNET CLR Usage Log Artifact
- Suspicious HH.EXE Execution
- Suspicious MSDT Parent Process
- Suspicious Provlaunch.EXE Child Process
- Suspicious Speech Runtime Binary Child Process
- Suspicious Vsls-Agent Command With AgentExtensionPath Load
- Suspicious ZipExec Execution
- SyncAppvPublishingServer Bypass Powershell Restriction - PS Module
- SyncAppvPublishingServer Execute Arbitrary PowerShell Code
- SyncAppvPublishingServer Execution to Bypass Powershell Restriction
- SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
- Time Travel Debugging Utility Usage
- Time Travel Debugging Utility Usage - Image
- Uncommon Assistive Technology Applications Execution Via AtBroker.EXE
- Uncommon AddinUtil.EXE CommandLine Execution
- Uncommon Child Process Of AddinUtil.EXE
- Uncommon Child Process Of Appvlp.EXE
- Uncommon Child Process Of BgInfo.EXE
- Uncommon Child Process Of Defaultpack.EXE
- Uncommon Child Process Of Setres.EXE
- Uncommon Link.EXE Parent Process
- Use of Scriptrunner.exe
- Use Of The SFTP.EXE Binary As A LOLBIN
- Use of VisualUiaVerifyNative.exe
- Verclsid.exe Runs COM Object
- Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution
- Visual Studio NodejsTools PressAnyKey Renamed Execution
- Windows MSIX Package Support Framework AI_STUBS Execution
- Windows Shell/Scripting Processes Spawning Suspicious Programs
- Winrs Local Command Execution
- Wlrmdr.EXE Uncommon Argument Or Child Process
- WSL Child Process Anomaly
- XBAP Execution From Uncommon Locations Via PresentationHost.EXE