T1218 System Binary Proxy Execution
Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.2 Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.
Similarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands.31
| Item | Value |
|---|---|
| ID | T1218 |
| Sub-techniques | T1218.001, T1218.002, T1218.003, T1218.004, T1218.005, T1218.007, T1218.008, T1218.009, T1218.010, T1218.011, T1218.012, T1218.013, T1218.014, T1218.015 |
| Tactics | TA0005 |
| Platforms | Linux, Windows, macOS |
| Version | 3.2 |
| Created | 18 April 2018 |
| Last Modified | 24 October 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0032 | Lazarus Group | Lazarus Group lnk files used for persistence have abused the Windows Update Client (wuauclt.exe) to execute a malicious DLL.45 |
| G1017 | Volt Typhoon | |
| Volt Typhoon has used native tools and processes including living off the land binaries or “LOLBins” to maintain and expand access to the victim networks.6 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1042 | Disable or Remove Feature or Program | Many native binaries may not be necessary within a given environment. |
| M1038 | Execution Prevention | Consider using application control to prevent execution of binaries that are susceptible to abuse and not required for a given system or network. |
| M1050 | Exploit Protection | Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using using trusted binaries to bypass application control. |
| M1037 | Filter Network Traffic | Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. |
| M1026 | Privileged Account Management | Restrict execution of particularly vulnerable binaries to privileged accounts or groups that need to use it to lessen the opportunities for malicious usage. |
| M1021 | Restrict Web-Based Content | Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. |
References
-
GTFOBins. (2020, November 13). split. Retrieved April 18, 2022. ↩
-
Oddvar Moe et al. (2022, February). Living Off The Land Binaries, Scripts and Libraries. Retrieved March 7, 2022. ↩
-
Torbjorn Granlund, Richard M. Stallman. (2020, March null). split(1) — Linux manual page. Retrieved March 25, 2022. ↩
-
Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022. ↩
-
Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. ↩
-
CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024. ↩