detection.wiki

System Binary Proxy Execution T1218

Tactic: Stealth

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system. Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.

Events covered

42 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 3Network connection
SysmonEvent ID 7Image loaded
SysmonEvent ID 8CreateRemoteThread
SysmonEvent ID 10ProcessAccess
SysmonEvent ID 11FileCreate
SysmonEvent ID 12RegistryEvent (Object create and delete)
SysmonEvent ID 13RegistryEvent (Value Set)
SysmonEvent ID 14RegistryEvent (Key and Value Rename)
SysmonEvent ID 22DNSEvent (DNS query)
SysmonEvent ID 23FileDelete (File Delete archived)
SysmonEvent ID 29FileExecutableDetected
Security-AuditingEvent ID 4663An attempt was made to access an object.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 5156The Windows Filtering Platform has permitted a connection.
Defender-DeviceEventsCreateRemoteThreadApiCallCreateRemoteThread API call
Defender-DeviceEventsClrUnbackedModuleLoadedCLR unbacked module loaded
Defender-DeviceEventsNtAllocateVirtualMemoryRemoteApiCallRemote virtual memory allocation (NtAllocateVirtualMemory)
Defender-DeviceEventsMemoryRemoteProtectRemote virtual memory protection change
Defender-DeviceEventsNtMapViewOfSectionRemoteApiCallRemote section map (NtMapViewOfSection)
Defender-DeviceEventsQueueUserApcRemoteApiCallRemote APC queued (QueueUserApc)
Defender-DeviceEventsSetThreadContextRemoteApiCallRemote thread context change (SetThreadContext)
Defender-DeviceEventsReadProcessMemoryApiCallReadProcessMemory API call
Defender-DeviceFileEventsFileCreatedFile created
Defender-DeviceFileEventsFileRenamedFile renamed
Defender-DeviceImageLoadEventsanyImage load (any)
Defender-DeviceImageLoadEventsImageLoadedImage loaded
Defender-DeviceNetworkEventsanyNetwork activity (any)
Defender-DeviceProcessEventsanyProcess activity (any)
Defender-DeviceProcessEventsProcessCreatedProcess created
ESFexecProcess Execution (Notify)
DotNETRuntimeEvent ID 152ModuleID=ModuleID.
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
Threat-IntelligenceEvent ID 1Remote Virtual Memory Allocation
Threat-IntelligenceEvent ID 2Remote Virtual Memory Protection Change
Threat-IntelligenceEvent ID 3Remote Section Map
Threat-IntelligenceEvent ID 4Remote APC Queue
Threat-IntelligenceEvent ID 5Remote Thread Context Change
Threat-IntelligenceEvent ID 11Local Virtual Memory Read
MsiInstallerEvent ID 1040Beginning a Windows Installer transaction: %0
MsiInstallerEvent ID 1042Ending a Windows Installer transaction: %0

Authoring guide

Patterns shared across the 552 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (109 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine280contains 178, regex_match 36, match 35, in 26, ends_with 21, eq 5, wildcard 5, is_not_null 4, is_null 3, starts_with 2http://, https://, .dll, (?i)\w+tps?://\S+\.msi, ftp://
Image225ends_with 205, contains 12, wildcard 8, eq 6, starts_with 6, in 3, is_not_null 3\rundll32.exe, \cmd.exe, \regsvr32.exe, \cscript.exe, \mshta.exe
OriginalFileName174eq 171, in 2, contains 1, is_null 1rundll32.exe, regsvr32.exe, mshta.exe, hh.exe, installutil.exe
process_name169eq 123, match 17, regex_match 11, in 10, ne 5, wildcard 4, is_not_null 2, ends_with 1rundll32.exe, cmd.exe, mshta.exe, msiexec.exe, regsvr32.exe
EventID117eq 115, in 24688, 1, 4104, 4103, 7
ParentImage77ends_with 59, eq 17, contains 4, starts_with 4, wildcard 2, in 1, is_not_null 1, is_null 1\cmd.exe, \cscript.exe, \mshta.exe, \excel.exe, \powershell.exe
parent_process_name75eq 50, regex_match 10, match 8, in 6, contains 2mshta.exe, cmd.exe, explorer.exe, msiexec.exe, mmc.exe
event.type71eq 70, ne 1start, creation, change, deletion
Type44eq 44
process.args26eq 19, wildcard 10, starts_with 7, contains 2, ends_with 1, in 1-c, -i, /i, C:\Intel\, &&
EventType20eq 15, in 3, starts_with 2start, exec, Image loaded, ProcessRollup2, connection_attempted
ParentCommandLine20contains 13, is_not_null 2, wildcard 2, ends_with 1, eq 1, in 1, length_compare 1, regex_match 1 -embedding, /processid:{3e000d72-a845-4cd9-bd83-80c07c3b881f}, /processid:{3e5fc7f9-9a51-4367-9063-a120244fbec7}, /processid:{bd54c901-076b-434e-b6c7-17c531f4ab41}, #568
TargetFilename17ends_with 9, contains 5, in 4, wildcard 2*\\windows\\pla\\reports\\*, *\\windows\\pla\\rules\\*, .dll, .exe, .sed
ImageLoaded14ends_with 7, in 4, contains 3, starts_with 3, regex_match 1.dll, *\\cmlua.dll, *\\cmluautil.dll, *\\cmstplua.dll, *\\fastprox.dll
Initiated12eq 12true, incoming, ingress, egress, outgoing

Top indicator values (3006 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
66606
EventIDeq
4688
44313
EventIDeq
1
36237
EventIDeq
4104
17268
process_nameeq
rundll32.exe
4360
process_nameeq
cmd.exe
2177
process_nameeq
mshta.exe
2131
process_nameeq
powershell.exe
20104
process_nameeq
msiexec.exe
1822
process_nameeq
regsvr32.exe
1725
process_nameeq
installutil.exe
1418
process_nameeq
wscript.exe
1429
process_nameeq
cscript.exe
1225
process_nameeq
pwsh.exe
1162
Imageends_with
\rundll32.exe
3895
Imageends_with
\regsvr32.exe
2865
Imageends_with
\mshta.exe
2467
Imageends_with
\powershell.exe
20182
Imageends_with
\cmd.exe
19130
Imageends_with
\pwsh.exe
19168
Imageends_with
\cscript.exe
1873
Imageends_with
\wscript.exe
1875
Imageends_with
\certutil.exe
1043
OriginalFileNameeq
rundll32.exe
3562
OriginalFileNameeq
regsvr32.exe
1626
OriginalFileNameeq
mshta.exe
1022
CommandLinecontains
\appdata\local\temp\
1026
CommandLinecontains
http
1039
CommandLinecontains
http://
1021
CommandLinecontains
https://
1021

Exclusions (923 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
dest_ipcidr_match
10.0.0.0/8
14
dest_ipcidr_match
127.0.0.0/8
14
dest_ipcidr_match
169.254.0.0/16
14
dest_ipcidr_match
172.16.0.0/12
14
dest_ipcidr_match
192.168.0.0/16
14
dest_ipcidr_match
100.64.0.0/10
7
dest_ipcidr_match
192.0.0.0/24
7
dest_ipcidr_match
192.0.0.0/29
7
dest_ipcidr_match
192.0.0.10/32
7
dest_ipcidr_match
192.0.0.170/32
7
dest_ipcidr_match
192.0.0.171/32
7
dest_ipcidr_match
192.0.0.8/32
7
dest_ipcidr_match
192.0.0.9/32
7
dest_ipcidr_match
192.0.2.0/24
7
dest_ipcidr_match
192.175.48.0/24
7

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 254 rules

Elastic 88 rules

Splunk 203 rules

Kusto 7 rules