System Binary Proxy Execution T1218

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system. Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.

Events covered

39 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 3Network connection
SysmonEvent ID 7Image loaded
SysmonEvent ID 8CreateRemoteThread
SysmonEvent ID 10ProcessAccess
SysmonEvent ID 11FileCreate
SysmonEvent ID 12RegistryEvent (Object create and delete)
SysmonEvent ID 13RegistryEvent (Value Set)
SysmonEvent ID 14RegistryEvent (Key and Value Rename)
SysmonEvent ID 22DNSEvent (DNS query)
SysmonEvent ID 23FileDelete (File Delete archived)
SysmonEvent ID 29FileExecutableDetected
Security-AuditingEvent ID 4663An attempt was made to access an object.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 5156The Windows Filtering Platform has permitted a connection.
Defender-DeviceEventsanyDefender event (any)
Defender-DeviceEventsCreateRemoteThreadApiCallCreateRemoteThread API call
Defender-DeviceEventsClrUnbackedModuleLoadedCLR unbacked module loaded
Defender-DeviceEventsNtAllocateVirtualMemoryRemoteApiCallRemote virtual memory allocation (NtAllocateVirtualMemory)
Defender-DeviceEventsMemoryRemoteProtectRemote virtual memory protection change
Defender-DeviceEventsNtMapViewOfSectionRemoteApiCallRemote section map (NtMapViewOfSection)
Defender-DeviceEventsQueueUserApcRemoteApiCallRemote APC queued (QueueUserApc)
Defender-DeviceEventsSetThreadContextRemoteApiCallRemote thread context change (SetThreadContext)
Defender-DeviceFileEventsFileCreatedFile created
Defender-DeviceFileEventsFileRenamedFile renamed
Defender-DeviceImageLoadEventsanyImage load (any)
Defender-DeviceImageLoadEventsImageLoadedImage loaded
Defender-DeviceProcessEventsanyProcess activity (any)
Defender-DeviceProcessEventsProcessCreatedProcess created
DotNETRuntimeEvent ID 152ModuleID=ModuleID.
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
Threat-IntelligenceEvent ID 1Remote Virtual Memory Allocation
Threat-IntelligenceEvent ID 2Remote Virtual Memory Protection Change
Threat-IntelligenceEvent ID 3Remote Section Map
Threat-IntelligenceEvent ID 4Remote APC Queue
Threat-IntelligenceEvent ID 5Remote Thread Context Change
MsiInstallerEvent ID 1040Beginning a Windows Installer transaction: %0
MsiInstallerEvent ID 1042Ending a Windows Installer transaction: %0

Authoring guide

Patterns shared across the 526 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (90 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine274contains 176, regex_match 36, match 35, in 25, ends_with 21, eq 5, wildcard 5, is_null 3, starts_with 2, is_not_null 1http://, https://, .dll, (?i)\w+tps?://\S+\.msi, ftp://
Image219ends_with 204, contains 12, wildcard 7, eq 6, starts_with 5, in 3\rundll32.exe, \cmd.exe, \regsvr32.exe, \cscript.exe, \mshta.exe
OriginalFileName173eq 170, in 2, contains 1, is_null 1rundll32.exe, regsvr32.exe, mshta.exe, hh.exe, installutil.exe
process_name159eq 120, match 17, regex_match 11, in 7, ne 5, ends_with 1, wildcard 1rundll32.exe, cmd.exe, mshta.exe, msiexec.exe, regsvr32.exe
EventID115eq 1154688, 1, 4104, 4103, 7
ParentImage76ends_with 59, eq 16, contains 4, starts_with 4, wildcard 2, in 1, is_null 1\cmd.exe, \cscript.exe, \mshta.exe, \excel.exe, \powershell.exe
parent_process_name69eq 47, regex_match 10, match 8, in 3, contains 2mshta.exe, explorer.exe, cmd.exe, mmc.exe, msiexec.exe
event.type61eq 61start, creation, change
Type44eq 44
process.args25eq 19, wildcard 10, starts_with 7, contains 2, ends_with 1-c, -i, /i, C:\Intel\, &&
ParentCommandLine17contains 12, ends_with 1, eq 1, in 1, length_compare 1, regex_match 1, wildcard 1 -embedding, /processid:{3e000d72-a845-4cd9-bd83-80c07c3b881f}, /processid:{3e5fc7f9-9a51-4367-9063-a120244fbec7}, /processid:{bd54c901-076b-434e-b6c7-17c531f4ab41}, #568
TargetFilename16ends_with 9, contains 5, in 4, wildcard 1*\\windows\\pla\\reports\\*, *\\windows\\pla\\rules\\*, .dll, .exe, .sed
EventType14eq 12, in 1, starts_with 1start, creation, ClrUnbackedModuleLoaded, CreateRemoteThreadApiCall, Image loaded
ImageLoaded14ends_with 7, in 4, contains 3, starts_with 3, regex_match 1.dll, *\\cmlua.dll, *\\cmluautil.dll, *\\cmstplua.dll, *\\fastprox.dll
Initiated12eq 12true, incoming, ingress, egress, outgoing

Top indicator values (2641 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
58241
EventIDeq
4688
44312
EventIDeq
1
36232
EventIDeq
4104
17268
process_nameeq
rundll32.exe
4055
process_nameeq
cmd.exe
2175
process_nameeq
mshta.exe
2028
process_nameeq
powershell.exe
2099
process_nameeq
msiexec.exe
1822
process_nameeq
regsvr32.exe
1723
process_nameeq
installutil.exe
1416
process_nameeq
wscript.exe
1426
process_nameeq
cscript.exe
1222
process_nameeq
pwsh.exe
1160
Imageends_with
\rundll32.exe
38103
Imageends_with
\regsvr32.exe
2868
Imageends_with
\mshta.exe
2469
Imageends_with
\powershell.exe
20186
Imageends_with
\cmd.exe
19134
Imageends_with
\pwsh.exe
19172
Imageends_with
\cscript.exe
1876
Imageends_with
\wscript.exe
1878
Imageends_with
\certutil.exe
1044
OriginalFileNameeq
rundll32.exe
3562
OriginalFileNameeq
regsvr32.exe
1627
OriginalFileNameeq
mshta.exe
1022
CommandLinecontains
\appdata\local\temp\
1028
CommandLinecontains
http
1038
CommandLinecontains
http://
1019
CommandLinecontains
https://
1018

Exclusions (766 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
dest_ipcidr_match
10.0.0.0/8
13
dest_ipcidr_match
127.0.0.0/8
13
dest_ipcidr_match
169.254.0.0/16
13
dest_ipcidr_match
172.16.0.0/12
13
dest_ipcidr_match
192.168.0.0/16
13
dest_ipcidr_match
::1/128
7
dest_ipcidr_match
fc00::/7
7
dest_ipcidr_match
fe80::/10
7
dest_ipcidr_match
100.64.0.0/10
6
dest_ipcidr_match
192.0.0.0/24
6
dest_ipcidr_match
192.0.0.0/29
6
dest_ipcidr_match
192.0.0.10/32
6
dest_ipcidr_match
192.0.0.170/32
6
dest_ipcidr_match
192.0.0.171/32
6
dest_ipcidr_match
192.0.0.8/32
6

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 253 rules

Elastic 71 rules

Splunk 196 rules

Kusto 6 rules