EXPLORE
Sign In
← Back to Explore
T1218

System Binary Proxy Execution

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Micr...

LinuxmacOSWindows
245
Detections
5
Sources
2
Threat Actors

BY SOURCE

145sigma78elastic15splunk_escu5kql2crowdstrike_cql

PROCEDURES (89)

Process Creation Monitoring52 detections

Auto-extracted: 52 detections for process creation monitoring

Child Process13 detections

Auto-extracted: 13 detections for child process

Download13 detections

Auto-extracted: 13 detections for download

Suspicious8 detections

Auto-extracted: 8 detections for suspicious

Bypass7 detections

Auto-extracted: 7 detections for bypass

Network Connection Monitoring6 detections

Auto-extracted: 6 detections for network connection monitoring

Powershell6 detections

Auto-extracted: 6 detections for powershell

Powershell5 detections

Auto-extracted: 5 detections for powershell

General Monitoring5 detections

Auto-extracted: 5 detections for general monitoring

Script Execution Monitoring4 detections

Auto-extracted: 4 detections for script execution monitoring

File Monitoring4 detections

Auto-extracted: 4 detections for file monitoring

Remote4 detections

Auto-extracted: 4 detections for remote

Anomal3 detections

Auto-extracted: 3 detections for anomal

Powershell3 detections

Auto-extracted: 3 detections for powershell

Unusual3 detections

Auto-extracted: 3 detections for unusual

Unusual3 detections

Auto-extracted: 3 detections for unusual

Lateral3 detections

Auto-extracted: 3 detections for lateral

Event Log3 detections

Auto-extracted: 3 detections for event log

Persist3 detections

Auto-extracted: 3 detections for persist

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Bypass2 detections

Auto-extracted: 2 detections for bypass

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Child Process2 detections

Auto-extracted: 2 detections for child process

Registry2 detections

Auto-extracted: 2 detections for registry

Startup2 detections

Auto-extracted: 2 detections for startup

Registry2 detections

Auto-extracted: 2 detections for registry

Command And Control2 detections

Auto-extracted: 2 detections for command and control

Lsass2 detections

Auto-extracted: 2 detections for lsass

Phish2 detections

Auto-extracted: 2 detections for phish

Inject2 detections

Auto-extracted: 2 detections for inject

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Inject2 detections

Auto-extracted: 2 detections for inject

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Dns2 detections

Auto-extracted: 2 detections for dns

Bypass2 detections

Auto-extracted: 2 detections for bypass

Remote2 detections

Auto-extracted: 2 detections for remote

Scheduled Task2 detections

Auto-extracted: 2 detections for scheduled task

Lsass2 detections

Auto-extracted: 2 detections for lsass

Api2 detections

Auto-extracted: 2 detections for api

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Remote2 detections

Auto-extracted: 2 detections for remote

Phish1 detections

Auto-extracted: 1 detections for phish

C21 detections

Auto-extracted: 1 detections for c2

Anomal1 detections

Auto-extracted: 1 detections for anomal

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Office1 detections

Auto-extracted: 1 detections for office

Evasion1 detections

Auto-extracted: 1 detections for evasion

Privilege1 detections

Auto-extracted: 1 detections for privilege

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Persist1 detections

Auto-extracted: 1 detections for persist

Bypass1 detections

Auto-extracted: 1 detections for bypass

Service1 detections

Auto-extracted: 1 detections for service

Command Line Monitoring1 detections

Auto-extracted: 1 detections for command line monitoring

Child Process1 detections

Auto-extracted: 1 detections for child process

Service1 detections

Auto-extracted: 1 detections for service

Unusual1 detections

Auto-extracted: 1 detections for unusual

Download1 detections

Auto-extracted: 1 detections for download

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Http1 detections

Auto-extracted: 1 detections for http

Unusual1 detections

Auto-extracted: 1 detections for unusual

Wmi1 detections

Auto-extracted: 1 detections for wmi

Office1 detections

Auto-extracted: 1 detections for office

Dump1 detections

Auto-extracted: 1 detections for dump

Event Log1 detections

Auto-extracted: 1 detections for event log

Http1 detections

Auto-extracted: 1 detections for http

Http1 detections

Auto-extracted: 1 detections for http

Privilege1 detections

Auto-extracted: 1 detections for privilege

Wmi1 detections

Auto-extracted: 1 detections for wmi

Inject1 detections

Auto-extracted: 1 detections for inject

Ntds1 detections

Auto-extracted: 1 detections for ntds

Dll Side1 detections

Auto-extracted: 1 detections for dll side

Privilege1 detections

Auto-extracted: 1 detections for privilege

Service1 detections

Auto-extracted: 1 detections for service

Evasion1 detections

Auto-extracted: 1 detections for evasion

Persist1 detections

Auto-extracted: 1 detections for persist

Credential1 detections

Auto-extracted: 1 detections for credential

Credential1 detections

Auto-extracted: 1 detections for credential

Evasion1 detections

Auto-extracted: 1 detections for evasion

Lateral1 detections

Auto-extracted: 1 detections for lateral

C21 detections

Auto-extracted: 1 detections for c2

Wmi1 detections

Auto-extracted: 1 detections for wmi

Download1 detections

Auto-extracted: 1 detections for download

Child Process1 detections

Auto-extracted: 1 detections for child process

Remote1 detections

Auto-extracted: 1 detections for remote

Unusual1 detections

Auto-extracted: 1 detections for unusual

Ntds1 detections

Auto-extracted: 1 detections for ntds

Module Load Monitoring1 detections

Auto-extracted: 1 detections for module load monitoring

Privilege1 detections

Auto-extracted: 1 detections for privilege

THREAT ACTORS (2)

Lazarus GroupVolt Typhoon

DETECTIONS (245)

Abusing Print Executable
sigmamedium
AddinUtil.EXE Execution From Uncommon Directory
sigmamedium
AgentExecutor PowerShell Execution
sigmamedium
Arbitrary Command Execution Using WSL
sigmamedium
Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
sigmamedium
Arbitrary File Download Via IMEWDBLD.EXE
sigmahigh
Arbitrary File Download Via MSEDGE_PROXY.EXE
sigmamedium
Arbitrary File Download Via MSOHTMED.EXE
sigmamedium
Arbitrary File Download Via MSPUB.EXE
sigmamedium
Arbitrary File Download Via PresentationHost.EXE
sigmamedium
Arbitrary File Download Via Squirrel.EXE
sigmamedium
Arbitrary MSI Download Via Devinit.EXE
sigmamedium
Atbroker Registry Change
sigmamedium
BaaUpdate.exe Suspicious DLL Load
sigmahigh
Binary Proxy Execution Via Dotnet-Trace.EXE
sigmamedium
BitLockerTogo.EXE Execution
sigmalow
Certutil Remote Download
kql
Cisco NVM - Suspicious Network Connection From Process With No Args
splunk_escu
COM Object Execution via Xwizard.EXE
sigmamedium
Command and Scripting Interpreter via Windows Scripts
elastichigh
Command Shell Activity Started via RunDLL32
elasticlow
Control Panel Process with Unusual Arguments
elastichigh
Created Files by Microsoft Sync Center
sigmamedium
Curl Download And Execute Combination
sigmahigh
Curl or Wget Egress Network Connection via LoLBin
elasticmedium
Delayed Execution via Ping
elasticlow
DeviceCredentialDeployment Execution
sigmamedium
Devtoolslauncher.exe Executes Specified Binary
sigmahigh
Diskshadow Child Process Spawned
sigmamedium
Diskshadow Script Mode - Execution From Potential Suspicious Location
sigmamedium
Diskshadow Script Mode - Uncommon Script Extension Execution
sigmamedium
Diskshadow Script Mode Execution
sigmamedium
DLL Execution via Rasautou.exe
sigmamedium
DLL Loaded via CertOC.EXE
sigmamedium
Dllhost.EXE Initiated Network Connection To Non-Local IP Address
sigmamedium
Dynamic Linker (ld.so) Creation
elasticmedium
Execute Files with Msdeploy.exe
sigmamedium
Execute Pcwrun.EXE To Leverage Follina
sigmahigh
Execution DLL of Choice Using WAB.EXE
sigmahigh
Execution from Unusual Directory - Command Line
elasticmedium
Execution of a Downloaded Windows Script
elasticmedium
Execution of COM object via Xwizard
elasticmedium
Execution of Persistent Suspicious Program
elasticmedium
Execution via GitHub Actions Runner
elasticmedium
Execution via OpenClaw Agent
elasticmedium
Execution via stordiag.exe
sigmahigh
Execution via Windows Command Debugging Utility
elasticmedium
Execution via WorkFolders.exe
sigmahigh
File Download Using ProtocolHandler.exe
sigmamedium
File Download Via InstallUtil.EXE
sigmamedium
File Download Via Windows Defender MpCmpRun.EXE
sigmahigh
Gpscript Execution
sigmamedium
Hidden Flag Set On File/Directory Via Chflags - MacOS
sigmamedium
Host Detected with Suspicious Windows Process(es)
elasticlow
HTML Help HH.EXE Suspicious Child Process
sigmahigh
Ie4uinit Lolbin Use From Invalid Path
sigmamedium
ImageLoad via Windows Update Auto Update Client
elasticmedium
Import LDAP Data Interchange Format File Via Ldifde.EXE
sigmamedium
Incoming DCOM Lateral Movement via MSHTA
elastichigh
Incoming DCOM Lateral Movement with MMC
elastichigh
Indirect Command Execution By Program Compatibility Wizard
sigmalow
InfDefaultInstall.exe .inf Execution
sigmamedium
Insensitive Subfolder Search Via Findstr.EXE
sigmalow
InstallUtil Process Making Network Connections
elasticmedium
IPv4 command detected in lolbin execution
kql
Legitimate Application Dropped Archive
sigmahigh
Legitimate Application Dropped Executable
sigmahigh
Legitimate Application Dropped Script
sigmahigh
Legitimate Application Writing Files In Uncommon Location
sigmahigh
LOLBAS With Network Traffic
splunk_escu
Lolbin Runexehelper Use As Proxy
sigmamedium
Lolbin Unregmp2.exe Use As Proxy
sigmamedium
LOLBin WMIC
crowdstrike_cql
LOLBin WMIC
crowdstrike_cql
Malicious PE Execution by Microsoft Visual Studio Debugger
sigmamedium
Malicious Windows Script Components File Execution by TAEF Detection
sigmalow
Microsoft Build Engine Started by a Script Process
elasticmedium
Microsoft Management Console File from Unusual Path
elasticmedium
Microsoft Sync Center Suspicious Network Connections
sigmamedium
Microsoft Workflow Compiler Execution
sigmamedium
MpiExec Lolbin
sigmahigh
MSDT Execution Via Answer File
sigmahigh
MSHTA Executions
kql
Mshta Making Network Connections
elasticmedium
MSI Installation From Web
sigmamedium
MsiExec Service Child Process With Network Connection
elasticmedium
Network Activity to a Suspicious Top Level Domain
elastichigh
Network Connection Initiated By AddinUtil.EXE
sigmahigh
Network Connection via Compiled HTML File
elasticlow
Network Connection via Registration Utility
elasticlow
Network Connection via Signed Binary
elasticlow
New Capture Session Launched Via DXCap.EXE
sigmamedium
New LOLBIN with external connection
kql
New Self Extracting Package Created Via IExpress.EXE
sigmamedium
OpenWith.exe Executes Specified Binary
sigmahigh
Outbound MSHTA Connection
kql
Parent Process Detected with Suspicious Windows Process(es)
elasticlow
Persistence via a Windows Installer
elasticmedium
Potential Application Whitelisting Bypass via Dnx.EXE
sigmamedium
Potential Arbitrary File Download Via Cmdl32.EXE
sigmamedium
Potential Binary Impersonating Sysinternals Tools
sigmamedium
Potential Binary Proxy Execution Via Cdb.EXE
sigmamedium
Potential Binary Proxy Execution Via VSDiagnostics.EXE
sigmamedium
Potential Command and Control via Internet Explorer
elasticmedium
Potential Credential Access via Renamed COM+ Services DLL
elastichigh
Potential Credential Access via Windows Utilities
elastichigh
Potential CVE-2025-33053 Exploitation
elastichigh
Potential DLL Sideloading Activity Via ExtExport.EXE
sigmamedium
Potential DLL Sideloading Using Coregen.exe
sigmamedium
Potential Escalation via Vulnerable MSI Repair
elastichigh
Potential Execution via FileFix Phishing Attack
elastichigh
Potential Fake CAPTCHA Phishing Attack
elastichigh
Potential File Download Via MS-AppInstaller Protocol Handler
sigmamedium
Potential File Transfer via Certreq
elasticmedium
Potential Local NTLM Relay via HTTP
elastichigh
Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution
sigmamedium
Potential NTLM Coercion Via Certutil.EXE
sigmahigh
Potential Password Spraying Attempt Using Dsacls.EXE
sigmamedium
Potential Privilege Escalation via SUID/SGID Proxy Execution
elasticmedium
Potential Protocol Tunneling via Yuze
elasticmedium
Potential Provisioning Registry Key Abuse For Binary Proxy Execution
sigmahigh
Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG
sigmahigh
Potential Provlaunch.EXE Binary Proxy Execution Abuse
sigmamedium
Potential Proxy Execution Via Explorer.EXE From Shell Process
sigmalow
Potential Register_App.Vbs LOLScript Abuse
sigmamedium
Potential Remote File Execution via MSIEXEC
elasticlow
Potential Remote Install via MsiExec
elastichigh
Potential RemoteFXvGPUDisablement.EXE Abuse
sigmahigh
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module
sigmahigh
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock
sigmahigh
Potential Suspicious Mofcomp Execution
sigmahigh
Potentially Over Permissive Permissions Granted Using Dsacls.EXE
sigmamedium
Potentially Suspicious Cabinet File Expansion
sigmamedium
Potentially Suspicious Child Process Of DiskShadow.EXE
sigmamedium
Potentially Suspicious Child Process Of VsCode
sigmamedium
Potentially Suspicious Child Processes Spawned by ConHost
sigmahigh
Potentially Suspicious CMD Shell Output Redirect
sigmamedium
Potentially Suspicious Process Started via tmux or screen
elasticmedium
Potentially Suspicious Self Extraction Directive File Created
sigmamedium
Potentially Suspicious Wuauclt Network Connection
sigmamedium
PowerShell MSI Install via WindowsInstaller COM From Remote Location
sigmamedium
Process Activity via Compiled HTML File
elasticmedium
Process Memory Dump Via Dotnet-Dump
sigmamedium
Process Proxy Execution Via Squirrel.EXE
sigmamedium
Program Executed Using Proxy/Local Command Via SSH.EXE
sigmamedium
Proxy Execution Via Wuauclt.EXE
sigmahigh
Proxy Shell Execution via Busybox
elasticlow
Rare Connection to WebDAV Target
elasticmedium
REGISTER_APP.VBS Proxy Execution
sigmamedium
Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly
sigmamedium
Remote File Download Via Findstr.EXE
sigmamedium
RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
sigmahigh
Renamed MegaSync Execution
sigmahigh
Renamed ZOHO Dctask64 Execution
sigmahigh
Rundll32.EXE Calling DllRegisterServer Export Function Explicitly
sigmamedium
Scheduled Task Creation with Curl and PowerShell Execution Combo
sigmamedium
Script Execution via Microsoft HTML Application
elastichigh
Sdiagnhost Calling Suspicious Child Process
sigmahigh
Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
sigmahigh
Self Extraction Directive File Created In Potentially Suspicious Location
sigmamedium
Sensitive File Dump Via Print.EXE
sigmahigh
Service Control Spawned via Script Interpreter
elasticlow
Signed Proxy Execution via MS Work Folders
elasticmedium
Suspicious .NET Code Compilation
elasticmedium
Suspicious AddinUtil.EXE CommandLine Execution
sigmahigh
Suspicious AgentExecutor PowerShell Execution
sigmahigh
Suspicious BitLocker Access Agent Update Utility Execution
sigmahigh
Suspicious Child Process Of BgInfo.EXE
sigmahigh
Suspicious Csi.exe Usage
sigmamedium
Suspicious DLL Loaded via CertOC.EXE
sigmahigh
Suspicious DotNET CLR Usage Log Artifact
sigmahigh
Suspicious Execution from a Mounted Device
elasticmedium
Suspicious Execution from VS Code Extension
elasticmedium
Suspicious Explorer Child Process
elasticmedium
Suspicious HH.EXE Execution
sigmahigh
Suspicious JetBrains TeamCity Child Process
elasticmedium
Suspicious Managed Code Hosting Process
elastichigh
Suspicious Microsoft Diagnostics Wizard Execution
elastichigh
Suspicious Microsoft HTML Application Child Process
elastichigh
Suspicious MS Office Child Process
elasticmedium
Suspicious MS Outlook Child Process
elasticlow
Suspicious MSDT Parent Process
sigmahigh
Suspicious PDF Reader Child Process
elasticlow
Suspicious Provlaunch.EXE Child Process
sigmahigh
Suspicious ScreenConnect Client Child Process
elasticmedium
Suspicious Script Object Execution
elasticmedium
Suspicious Shell Execution via Velociraptor
elasticmedium
Suspicious SolarWinds Web Help Desk Java Module Load or Child Process
elastichigh
Suspicious Speech Runtime Binary Child Process
sigmahigh
Suspicious Vsls-Agent Command With AgentExtensionPath Load
sigmamedium
Suspicious Windows Command Shell Arguments
elastichigh
Suspicious WMIC XSL Script Execution
elasticmedium
Suspicious ZipExec Execution
sigmamedium
SyncAppvPublishingServer Bypass Powershell Restriction - PS Module
sigmamedium
SyncAppvPublishingServer Execute Arbitrary PowerShell Code
sigmamedium
SyncAppvPublishingServer Execution to Bypass Powershell Restriction
sigmamedium
SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
sigmamedium
Time Travel Debugging Utility Usage
sigmahigh
Time Travel Debugging Utility Usage - Image
sigmahigh
UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer
elasticmedium