EXPLORE
Sign In
← Back to Explore
T1218

System Binary Proxy Execution

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Micr...

WindowsLinuxmacOS
227
Detections
4
Sources
2
Threat Actors

BY SOURCE

134sigma78elastic14splunk_escu1crowdstrike_cql

PROCEDURES (87)

Process Creation Monitoring44 detections

Auto-extracted: 44 detections for process creation monitoring

Download13 detections

Auto-extracted: 13 detections for download

Child Process12 detections

Auto-extracted: 12 detections for child process

Bypass7 detections

Auto-extracted: 7 detections for bypass

Suspicious7 detections

Auto-extracted: 7 detections for suspicious

Powershell6 detections

Auto-extracted: 6 detections for powershell

Network Connection Monitoring5 detections

Auto-extracted: 5 detections for network connection monitoring

Script Execution Monitoring5 detections

Auto-extracted: 5 detections for script execution monitoring

Powershell4 detections

Auto-extracted: 4 detections for powershell

Remote4 detections

Auto-extracted: 4 detections for remote

File Monitoring4 detections

Auto-extracted: 4 detections for file monitoring

General Monitoring4 detections

Auto-extracted: 4 detections for general monitoring

Anomal3 detections

Auto-extracted: 3 detections for anomal

Persist3 detections

Auto-extracted: 3 detections for persist

Unusual3 detections

Auto-extracted: 3 detections for unusual

Powershell3 detections

Auto-extracted: 3 detections for powershell

Lateral2 detections

Auto-extracted: 2 detections for lateral

Lsass2 detections

Auto-extracted: 2 detections for lsass

Bypass2 detections

Auto-extracted: 2 detections for bypass

Unusual2 detections

Auto-extracted: 2 detections for unusual

Event Log2 detections

Auto-extracted: 2 detections for event log

Remote2 detections

Auto-extracted: 2 detections for remote

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Unusual2 detections

Auto-extracted: 2 detections for unusual

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Dns2 detections

Auto-extracted: 2 detections for dns

Bypass2 detections

Auto-extracted: 2 detections for bypass

Scheduled Task2 detections

Auto-extracted: 2 detections for scheduled task

Child Process2 detections

Auto-extracted: 2 detections for child process

Lsass2 detections

Auto-extracted: 2 detections for lsass

Registry2 detections

Auto-extracted: 2 detections for registry

Privilege2 detections

Auto-extracted: 2 detections for privilege

Phish2 detections

Auto-extracted: 2 detections for phish

Command And Control2 detections

Auto-extracted: 2 detections for command and control

Registry2 detections

Auto-extracted: 2 detections for registry

Api2 detections

Auto-extracted: 2 detections for api

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Remote2 detections

Auto-extracted: 2 detections for remote

Inject2 detections

Auto-extracted: 2 detections for inject

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Inject2 detections

Auto-extracted: 2 detections for inject

Startup2 detections

Auto-extracted: 2 detections for startup

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Child Process2 detections

Auto-extracted: 2 detections for child process

Evasion1 detections

Auto-extracted: 1 detections for evasion

Persist1 detections

Auto-extracted: 1 detections for persist

Download1 detections

Auto-extracted: 1 detections for download

Credential1 detections

Auto-extracted: 1 detections for credential

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Persist1 detections

Auto-extracted: 1 detections for persist

Command Line Monitoring1 detections

Auto-extracted: 1 detections for command line monitoring

Evasion1 detections

Auto-extracted: 1 detections for evasion

Http1 detections

Auto-extracted: 1 detections for http

Lateral1 detections

Auto-extracted: 1 detections for lateral

C21 detections

Auto-extracted: 1 detections for c2

Wmi1 detections

Auto-extracted: 1 detections for wmi

Download1 detections

Auto-extracted: 1 detections for download

Unusual1 detections

Auto-extracted: 1 detections for unusual

Lsass1 detections

Auto-extracted: 1 detections for lsass

Module Load Monitoring1 detections

Auto-extracted: 1 detections for module load monitoring

Phish1 detections

Auto-extracted: 1 detections for phish

Http1 detections

Auto-extracted: 1 detections for http

Http1 detections

Auto-extracted: 1 detections for http

Dll Side1 detections

Auto-extracted: 1 detections for dll side

Privilege1 detections

Auto-extracted: 1 detections for privilege

C21 detections

Auto-extracted: 1 detections for c2

Remote1 detections

Auto-extracted: 1 detections for remote

Wmi1 detections

Auto-extracted: 1 detections for wmi

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Inject1 detections

Auto-extracted: 1 detections for inject

Bypass1 detections

Auto-extracted: 1 detections for bypass

Service1 detections

Auto-extracted: 1 detections for service

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Office1 detections

Auto-extracted: 1 detections for office

Unusual1 detections

Auto-extracted: 1 detections for unusual

Wmi1 detections

Auto-extracted: 1 detections for wmi

Office1 detections

Auto-extracted: 1 detections for office

Dump1 detections

Auto-extracted: 1 detections for dump

Persist1 detections

Auto-extracted: 1 detections for persist

Anomal1 detections

Auto-extracted: 1 detections for anomal

Event Log1 detections

Auto-extracted: 1 detections for event log

Dll Side1 detections

Auto-extracted: 1 detections for dll side

Privilege1 detections

Auto-extracted: 1 detections for privilege

Service1 detections

Auto-extracted: 1 detections for service

Privilege1 detections

Auto-extracted: 1 detections for privilege

Credential1 detections

Auto-extracted: 1 detections for credential

THREAT ACTORS (2)

Lazarus GroupVolt Typhoon

DETECTIONS (227)

Abusing Print Executable
sigmamedium
AddinUtil.EXE Execution From Uncommon Directory
sigmamedium
AgentExecutor PowerShell Execution
sigmamedium
Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
sigmamedium
Arbitrary File Download Via IMEWDBLD.EXE
sigmahigh
Arbitrary File Download Via MSEDGE_PROXY.EXE
sigmamedium
Arbitrary File Download Via MSOHTMED.EXE
sigmamedium
Arbitrary File Download Via MSPUB.EXE
sigmamedium
Arbitrary File Download Via PresentationHost.EXE
sigmamedium
Arbitrary File Download Via Squirrel.EXE
sigmamedium
Arbitrary MSI Download Via Devinit.EXE
sigmamedium
Atbroker Registry Change
sigmamedium
BaaUpdate.exe Suspicious DLL Load
sigmahigh
Binary Proxy Execution Via Dotnet-Trace.EXE
sigmamedium
BitLockerTogo.EXE Execution
sigmalow
Cisco NVM - Suspicious Network Connection From Process With No Args
splunk_escu
COM Object Execution via Xwizard.EXE
sigmamedium
Command and Scripting Interpreter via Windows Scripts
elastichigh
Command Shell Activity Started via RunDLL32
elasticlow
Control Panel Process with Unusual Arguments
elastichigh
Created Files by Microsoft Sync Center
sigmamedium
Curl Download And Execute Combination
sigmahigh
Curl or Wget Egress Network Connection via LoLBin
elasticmedium
Delayed Execution via Ping
elasticlow
DeviceCredentialDeployment Execution
sigmamedium
Devtoolslauncher.exe Executes Specified Binary
sigmahigh
Diskshadow Script Mode - Execution From Potential Suspicious Location
sigmamedium
Diskshadow Script Mode - Uncommon Script Extension Execution
sigmamedium
DLL Execution via Rasautou.exe
sigmamedium
DLL Loaded via CertOC.EXE
sigmamedium
Dynamic Linker (ld.so) Creation
elasticmedium
Execute Files with Msdeploy.exe
sigmamedium
Execute Pcwrun.EXE To Leverage Follina
sigmahigh
Execution DLL of Choice Using WAB.EXE
sigmahigh
Execution from Unusual Directory - Command Line
elasticmedium
Execution of a Downloaded Windows Script
elasticmedium
Execution of COM object via Xwizard
elasticmedium
Execution of Persistent Suspicious Program
elasticmedium
Execution via GitHub Actions Runner
elasticmedium
Execution via OpenClaw Agent
elasticmedium
Execution via stordiag.exe
sigmahigh
Execution via Windows Command Debugging Utility
elasticmedium
Execution via WorkFolders.exe
sigmahigh
File Download Using ProtocolHandler.exe
sigmamedium
File Download Via InstallUtil.EXE
sigmamedium
File Download Via Windows Defender MpCmpRun.EXE
sigmahigh
Gpscript Execution
sigmamedium
Hidden Flag Set On File/Directory Via Chflags - MacOS
sigmamedium
Host Detected with Suspicious Windows Process(es)
elasticlow
HTML Help HH.EXE Suspicious Child Process
sigmahigh
Ie4uinit Lolbin Use From Invalid Path
sigmamedium
ImageLoad via Windows Update Auto Update Client
elasticmedium
Import LDAP Data Interchange Format File Via Ldifde.EXE
sigmamedium
Incoming DCOM Lateral Movement via MSHTA
elastichigh
Incoming DCOM Lateral Movement with MMC
elastichigh
Indirect Command Execution By Program Compatibility Wizard
sigmalow
InfDefaultInstall.exe .inf Execution
sigmamedium
Insensitive Subfolder Search Via Findstr.EXE
sigmalow
InstallUtil Process Making Network Connections
elasticmedium
Legitimate Application Dropped Archive
sigmahigh
Legitimate Application Dropped Executable
sigmahigh
Legitimate Application Dropped Script
sigmahigh
Legitimate Application Writing Files In Uncommon Location
sigmahigh
LOLBAS With Network Traffic
splunk_escu
Lolbin Runexehelper Use As Proxy
sigmamedium
Lolbin Unregmp2.exe Use As Proxy
sigmamedium
LOLBin WMIC
crowdstrike_cql
Malicious PE Execution by Microsoft Visual Studio Debugger
sigmamedium
Malicious Windows Script Components File Execution by TAEF Detection
sigmalow
Microsoft Build Engine Started by a Script Process
elasticmedium
Microsoft Management Console File from Unusual Path
elasticmedium
Microsoft Sync Center Suspicious Network Connections
sigmamedium
MpiExec Lolbin
sigmahigh
MSDT Execution Via Answer File
sigmahigh
Mshta Making Network Connections
elasticmedium
MSI Installation From Web
sigmamedium
MsiExec Service Child Process With Network Connection
elasticmedium
Network Activity to a Suspicious Top Level Domain
elastichigh
Network Connection Initiated By AddinUtil.EXE
sigmahigh
Network Connection via Compiled HTML File
elasticlow
Network Connection via Registration Utility
elasticlow
Network Connection via Signed Binary
elasticlow
New Capture Session Launched Via DXCap.EXE
sigmamedium
OpenWith.exe Executes Specified Binary
sigmahigh
Parent Process Detected with Suspicious Windows Process(es)
elasticlow
Persistence via a Windows Installer
elasticmedium
Potential Application Whitelisting Bypass via Dnx.EXE
sigmamedium
Potential Arbitrary File Download Via Cmdl32.EXE
sigmamedium
Potential Binary Impersonating Sysinternals Tools
sigmamedium
Potential Binary Proxy Execution Via Cdb.EXE
sigmamedium
Potential Binary Proxy Execution Via VSDiagnostics.EXE
sigmamedium
Potential Command and Control via Internet Explorer
elasticmedium
Potential Credential Access via Renamed COM+ Services DLL
elastichigh
Potential Credential Access via Windows Utilities
elastichigh
Potential CVE-2025-33053 Exploitation
elastichigh
Potential DLL Sideloading Using Coregen.exe
sigmamedium
Potential Escalation via Vulnerable MSI Repair
elastichigh
Potential Execution via FileFix Phishing Attack
elastichigh
Potential Fake CAPTCHA Phishing Attack
elastichigh
Potential File Download Via MS-AppInstaller Protocol Handler
sigmamedium
Potential File Transfer via Certreq
elasticmedium
Potential Local NTLM Relay via HTTP
elastichigh
Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution
sigmamedium
Potential NTLM Coercion Via Certutil.EXE
sigmahigh
Potential Password Spraying Attempt Using Dsacls.EXE
sigmamedium
Potential Privilege Escalation via SUID/SGID Proxy Execution
elasticmedium
Potential Protocol Tunneling via Yuze
elasticmedium
Potential Provisioning Registry Key Abuse For Binary Proxy Execution
sigmahigh
Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG
sigmahigh
Potential Provlaunch.EXE Binary Proxy Execution Abuse
sigmamedium
Potential Register_App.Vbs LOLScript Abuse
sigmamedium
Potential Remote File Execution via MSIEXEC
elasticlow
Potential Remote Install via MsiExec
elastichigh
Potential RemoteFXvGPUDisablement.EXE Abuse
sigmahigh
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module
sigmahigh
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock
sigmahigh
Potential Suspicious Mofcomp Execution
sigmahigh
Potentially Over Permissive Permissions Granted Using Dsacls.EXE
sigmamedium
Potentially Suspicious Cabinet File Expansion
sigmamedium
Potentially Suspicious Child Process Of DiskShadow.EXE
sigmamedium
Potentially Suspicious Child Process Of VsCode
sigmamedium
Potentially Suspicious Child Processes Spawned by ConHost
sigmahigh
Potentially Suspicious CMD Shell Output Redirect
sigmamedium
Potentially Suspicious Process Started via tmux or screen
elasticmedium
Potentially Suspicious Self Extraction Directive File Created
sigmamedium
Potentially Suspicious Wuauclt Network Connection
sigmamedium
PowerShell MSI Install via WindowsInstaller COM From Remote Location
sigmamedium
Process Activity via Compiled HTML File
elasticmedium
Process Memory Dump Via Dotnet-Dump
sigmamedium
Process Proxy Execution Via Squirrel.EXE
sigmamedium
Program Executed Using Proxy/Local Command Via SSH.EXE
sigmamedium
Proxy Execution Via Wuauclt.EXE
sigmahigh
Proxy Shell Execution via Busybox
elasticlow
Rare Connection to WebDAV Target
elasticmedium
REGISTER_APP.VBS Proxy Execution
sigmamedium
Remote File Download Via Findstr.EXE
sigmamedium
RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
sigmahigh
Renamed MegaSync Execution
sigmahigh
Renamed ZOHO Dctask64 Execution
sigmahigh
Scheduled Task Creation with Curl and PowerShell Execution Combo
sigmamedium
Script Execution via Microsoft HTML Application
elastichigh
Sdiagnhost Calling Suspicious Child Process
sigmahigh
Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
sigmahigh
Self Extraction Directive File Created In Potentially Suspicious Location
sigmamedium
Service Control Spawned via Script Interpreter
elasticlow
Signed Proxy Execution via MS Work Folders
elasticmedium
Suspicious .NET Code Compilation
elasticmedium
Suspicious AddinUtil.EXE CommandLine Execution
sigmahigh
Suspicious AgentExecutor PowerShell Execution
sigmahigh
Suspicious BitLocker Access Agent Update Utility Execution
sigmahigh
Suspicious Child Process Of BgInfo.EXE
sigmahigh
Suspicious Csi.exe Usage
sigmamedium
Suspicious DLL Loaded via CertOC.EXE
sigmahigh
Suspicious DotNET CLR Usage Log Artifact
sigmahigh
Suspicious Execution from a Mounted Device
elasticmedium
Suspicious Execution from VS Code Extension
elasticmedium
Suspicious Explorer Child Process
elasticmedium
Suspicious HH.EXE Execution
sigmahigh
Suspicious JetBrains TeamCity Child Process
elasticmedium
Suspicious Managed Code Hosting Process
elastichigh
Suspicious Microsoft Diagnostics Wizard Execution
elastichigh
Suspicious Microsoft HTML Application Child Process
elastichigh
Suspicious MS Office Child Process
elasticmedium
Suspicious MS Outlook Child Process
elasticlow
Suspicious MSDT Parent Process
sigmahigh
Suspicious PDF Reader Child Process
elasticlow
Suspicious Provlaunch.EXE Child Process
sigmahigh
Suspicious ScreenConnect Client Child Process
elasticmedium
Suspicious Script Object Execution
elasticmedium
Suspicious Shell Execution via Velociraptor
elasticmedium
Suspicious SolarWinds Web Help Desk Java Module Load or Child Process
elastichigh
Suspicious Speech Runtime Binary Child Process
sigmahigh
Suspicious Vsls-Agent Command With AgentExtensionPath Load
sigmamedium
Suspicious Windows Command Shell Arguments
elastichigh
Suspicious WMIC XSL Script Execution
elasticmedium
Suspicious ZipExec Execution
sigmamedium
SyncAppvPublishingServer Bypass Powershell Restriction - PS Module
sigmamedium
SyncAppvPublishingServer Execute Arbitrary PowerShell Code
sigmamedium
SyncAppvPublishingServer Execution to Bypass Powershell Restriction
sigmamedium
SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
sigmamedium
Time Travel Debugging Utility Usage
sigmahigh
Time Travel Debugging Utility Usage - Image
sigmahigh
UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer
elasticmedium
UAC Bypass via Windows Firewall Snap-In Hijack
elasticmedium
Uncommon Assistive Technology Applications Execution Via AtBroker.EXE
sigmamedium
Uncommon AddinUtil.EXE CommandLine Execution
sigmamedium
Uncommon Child Process Of AddinUtil.EXE
sigmamedium
Uncommon Child Process Of Appvlp.EXE
sigmamedium
Uncommon Child Process Of BgInfo.EXE
sigmamedium
Uncommon Child Process Of Defaultpack.EXE
sigmamedium
Uncommon Child Process Of Setres.EXE
sigmahigh
Uncommon Link.EXE Parent Process
sigmamedium
Unusual Child Processes of RunDLL32
elastichigh
Unusual Execution via Microsoft Common Console File
elastichigh
Unusual Network Activity from a Windows System Binary
elasticmedium
Unusual Network Connection via DllHost
elasticmedium
Unusual Network Connection via RunDLL32
elasticmedium
Unusual Process Network Connection
elasticlow
Unusual Process Spawned by a Host
elasticlow
Unusual Process Spawned by a Parent Process
elasticlow