Skip to content

T1216 System Script Proxy Execution

Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files. Several Microsoft signed scripts that have been downloaded from Microsoft or are default on Windows installations can be used to proxy execution of other files.2 This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.1

Item Value
ID T1216
Sub-techniques T1216.001
Tactics TA0005
Platforms Windows
Version 2.0
Created 18 April 2018
Last Modified 18 April 2022

Mitigations

ID Mitigation Description
M1038 Execution Prevention Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application control configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process Process Creation
DS0012 Script Script Execution

References

  1. Moe, O. (2018, March 1). Ultimate AppLocker Bypass List. Retrieved April 10, 2018. 

  2. Oddvar Moe et al. (2022, February). Living Off The Land Binaries, Scripts and Libraries. Retrieved March 7, 2022.