Home/ATT&CK Technique/System Binary Proxy Execution
ATT&CK Technique

System Binary Proxy Execution

T1218 · stealth

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system. Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation.

Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands. Similarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands.

LinuxmacOSWindows

Actors Using This

14
iranAgrius
russia_speaking_cybercrimeAkira
russia_speaking_cybercrimeALPHV / BlackCat
latin_america_brazilian_organized_cybercrimeAmavaldo
north_koreaAndariel
franceAnimal Farm
chinaAoqin Dragon
chinaAPT10
chinaAPT17
chinaAPT1
russiaAPT28
russiaAPT29
chinaAPT31
iranAPT33

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
execution same
T1574.011 · Services Registry Permissions Weakness ×1.16
persistence same
T1547.009 · Shortcut Modification ×1.16
privilege-escalation same
T1134 · Access Token Manipulation ×1.16T1546 · Event Triggered Execution ×1.16
credential-access same
T1003.002 · Security Account Manager ×1.16T1212 · Exploitation for Credential Access ×1.16
discovery same
T1482 · Domain Trust Discovery ×1.16
command-and-control same
T1105 · Ingress Tool Transfer ×1.16
other same
T1553 · Subvert Trust Controls ×1.16T1036.004 · Masquerade Task or Service ×1.16T1564.001 · Hidden Files and Directories ×1.16T1553.002 · Code Signing ×1.16T1564.003 · Hidden Window ×1.16T1027.010 · Command Obfuscation ×1.16T1070.006 · Timestomp ×1.16

Atomic Tests

16
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
command_promptelevatedwindowsmavinject - Inject DLL into running process
Injects arbitrary DLL into running process specified by process ID. Requires Windows 10. 
mavinject.exe #{process_id} /INJECTRUNNING "#{dll_payload}"
command_promptwindowsRegister-CimProvider - Execute evil dll
Execute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can be served up via SMB 
C:\Windows\SysWow64\Register-CimProvider.exe -Path "#{dll_payload}"
command_promptwindowsInfDefaultInstall.exe .inf Execution
Test execution of a .inf using InfDefaultInstall.exe Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml 
InfDefaultInstall.exe "#{inf_to_execute}"
command_promptwindowsProtocolHandler.exe Downloaded a Suspicious File
Emulates attack via documents through protocol handler in Microsoft Office. On successful execution you should see Microsoft Word launch a blank file. 
FOR /F "tokens=2*" %a in ('reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Winword.exe" /V PATH') do set microsoft_wordpath=%b
call "%microsoft_wordpath%\protocolhandler.exe" "ms-word:nft|u|#{remote_url}"
powershellwindowsMicrosoft.Workflow.Compiler.exe Payload Execution
Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe 
#{mwcpath}\#{mwcname} "#{xml_payload}" output.txt
powershellwindowsRenamed Microsoft.Workflow.Compiler.exe Payload Executions
Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe 
&"#{renamed_binary}" "#{xml_payload}" output.txt
powershellwindowsInvoke-ATHRemoteFXvGPUDisablementCommand base test
RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339). One of the PowerShell functions called by RemoteFXvGPUDisablement.exe is Get-VMRemoteFXPhysicalVideoAdapter, a part of the Hyper-V module. This atomic test influences RemoteFXvGPUDisablement.exe to execute custom PowerShell code by using a technique referred to as "PowerShell module load-order hijacking" where a module containing, in this case, an implementation of the Get-VMRemoteFXPhysicalVideoAdapter is loaded first by way of introducing a temporary module into the first directory listed in the %PSModulePath% environment variable or within a user-specified module directory outside of %PSModulePath%. Upon execution the temporary module is deleted. Invoke-ATHRemoteFXvGPUDisablementCommand is used in this test to demonstrate how a PowerShell host executable can be directed to user-supplied PowerShell code without needing to supply anything at the command-line. PowerShell code execution is triggered when supplying the "Disable" argument to RemoteFXvGPUDisablement.exe. The Invoke-ATHRemoteFXvGPUDisablementCommand function outputs all relevant execution-related artifacts. Reference: https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 
Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName #{module_name} -ModulePath #{module_path}
powershellwindowsDiskShadow Command Execution
Emulates attack with a DiskShadow.exe (LOLBIN installed by default on Windows) being used to execute arbitrary commands Reference: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ 
#{dspath} -S #{txt_payload}
command_promptwindowsLoad Arbitrary DLL via Wuauclt (Windows Update Client)
This test uses Wuauclt to load an arbitrary DLL. Upon execution with the default inputs, calculator.exe will be launched. See https://dtm.uk/wuauclt/ 
wuauclt.exe /UpdateDeploymentProvider "#{arbitrary_dll}" /RunHandlerComServer
command_promptwindowsLolbin Gpscript logon option
Executes logon scripts configured in Group Policy. https://lolbas-project.github.io/lolbas/Binaries/Gpscript/ https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/ 
Gpscript /logon
command_promptwindowsLolbin Gpscript startup option
Executes startup scripts configured in Group Policy https://lolbas-project.github.io/lolbas/Binaries/Gpscript/ https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/ 
Gpscript /startup
command_promptwindowsLolbas ie4uinit.exe use as proxy
Executes commands from a specially prepared ie4uinit.inf file. Poc from : https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ Reference: https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/ 
copy #{Path_ie4uinit} %TEMP%\ie4uinit.exe
copy "#{Path_inf}" %TEMP%\ieuinit.inf
%TEMP%\ie4uinit.exe -BaseSettings
powershellelevatedwindowsLOLBAS CustomShellHost to Spawn Process
This test simulates an adversary copying `customshellhost.exe` and `calc.exe` from `C:\windows\system32\` to `C:\temp\`, renaming `calc.exe` to `explorer.exe`. Upon execution, customshellhost.exe will spawn calc.exe. Note this will only work on Windows 10 or 11. [LOLBAS](https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/) [BishopFox](https://bishopfox.com/blog/edr-bypass-with-lolbins) 
if (-not (Test-Path #{dest_path})) {
New-Item -Path #{dest_path} -ItemType Directory
} else {
Write-Host "Directory #{dest_path} already exists." }
Copy-Item -Path "C:\windows\system32\customshellhost.exe" -Destination "#{dest_path}\customshellhost.exe" -Force
Copy-Item -Path "C:\windows\system32\calc.exe" -Destination "#{dest_path}\explorer.exe" -Force
#{dest_path}\customshellhost.exe
command_promptwindowsProvlaunch.exe Executes Arbitrary Command via Registry Key
Provlaunch.exe executes a command defined in the Registry. This test will create the necessary registry keys and values, then run provlaunch.exe to execute an arbitrary command. - https://twitter.com/0gtweet/status/1674399582162153472 - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/ Registry keys are deleted after successful execution. 
reg.exe add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1 /v altitude /t REG_DWORD /d 0
reg add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1\dummy2 /v Commandline /d calc.exe
c:\windows\system32\provlaunch.exe LOLBin
powershellwindowsLOLBAS Msedge to Spawn Process
Executes a process under a trusted Microsoft signed binary,mseddge. This test will spawn "calc.exe" as a child process of msedge.exe - https://lolbas-project.github.io/lolbas/Binaries/Msedge/ 
$edgePath64 = "C:\Program Files\Microsoft\Edge\Application\msedge.exe"
if (Test-Path $edgePath64) {
    $edgePath = $edgePath64
} else {
    # Check 32-bit Edge installation path
    $edgePath32 = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    if (Test-Path $edgePath32) {
        $edgePath = $edgePath32
    } else {
        exit 1
    }
}
& $edgePath --disable-gpu-sandbox --gpu-launcher="C:\\Windows\\System32\\calc.exe &&"
sleep 5
taskkill -f -im msedge.exe
taskkill -f -im calc.exe
taskkill -f -im win32calc.exe
powershellwindowsSystem Binary Proxy Execution - Wlrmdr Lolbin
Use wlrmdr(Windows Logon Reminder executable) as a proxy binary to evade defensive countermeasures
wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u "#{payload_path}"

Mitigations

6
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1021Restrict Web-Based Content

Restricting web-based content involves enforcing policies and technologies that limit access to potentially malicious websites, unsafe downloads, and unauthorized browser behaviors. This can include URL filtering, download restrictions, script blocking, and extension control to protect against exploitation, phishing, and malware delivery.

Deploy Web Proxy Filtering
  • Use solutions to filter web traffic based on categories, reputation, and content types.
  • Enforce policies that block unsafe websites or file types at the gateway level.
Enable DNS-Based Filtering
  • Implement tools to restrict access to domains associated with malware or phishing campaigns.
  • Use public DNS filtering services to enhance protection.
Enforce Content Security Policies (CSP)
  • Configure CSP headers on internal and external web applications to restrict script execution, iframe embedding, and cross-origin requests.
Control Browser Features
  • Disable unapproved browser features like automatic downloads, developer tools, or unsafe scripting.
  • Enforce policies through tools like Group Policy Management to control browser settings.
Monitor and Alert on Web-Based Threats
  • Use SIEM tools to collect and analyze web proxy logs for signs of anomalous or malicious activity.
  • Configure alerts for access attempts to blocked domains or repeated file download failures.
M1026Privileged Account Management

Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.

Account Permissions and Roles
  • Implement RBAC and least privilege principles to allocate permissions securely.
  • Use tools like Active Directory Group Policies to enforce access restrictions.
Credential Security
  • Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials.
  • Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).
Multi-Factor Authentication (MFA)
  • Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.
Privileged Access Management (PAM)
  • Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.
Auditing and Monitoring
  • Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.
Just-In-Time Access
  • Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.
Tools for Implementation Privileged Access Management (PAM)
  • CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.
Credential Management
  • Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.
Multi-Factor Authentication
  • Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.
Linux Privilege Management
  • sudo configuration, SELinux, AppArmor.
Just-In-Time Access
  • Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.
M1037Filter Network Traffic

Employ network appliances and endpoint software to filter ingress, egress, and lateral network traffic. This includes protocol-based filtering, enforcing firewall rules, and blocking or restricting traffic based on predefined conditions to limit adversary movement and data exfiltration.

Ingress Traffic Filtering
  • Use Case: Configure network firewalls to allow traffic only from authorized IP addresses to public-facing servers.
  • Implementation: Limit SSH (port 22) and RDP (port 3389) traffic to specific IP ranges.
Egress Traffic Filtering
  • Use Case: Use firewalls or endpoint security software to block unauthorized outbound traffic to prevent data exfiltration and command-and-control (C2) communications.
  • Implementation: Block outbound traffic to known malicious IPs or regions where communication is unexpected.
Protocol-Based Filtering
  • Use Case: Restrict the use of specific protocols that are commonly abused by adversaries, such as SMB, RPC, or Telnet, based on business needs.
  • Implementation: Disable SMBv1 on endpoints to prevent exploits like EternalBlue.
Network Segmentation
  • Use Case: Create network segments for critical systems and restrict communication between segments unless explicitly authorized.
  • Implementation: Implement VLANs to isolate IoT devices or guest networks from core business systems.
Application Layer Filtering
  • Use Case: Use proxy servers or Web Application Firewalls (WAFs) to inspect and block malicious HTTP/S traffic.
  • Implementation: Configure a WAF to block SQL injection attempts or other web application exploitation techniques.
M1038Execution Prevention

Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions.

Application Control
  • Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution.
  • Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.
xml"`) Script Blocking
  • Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources.
  • Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g.
, Set-ExecutionPolicy AllSigned) Executable Blocking
  • Use Case: Prevent execution of binaries from suspicious locations, such as %TEMP% or %APPDATA% directories.
  • Implementation: Block execution of .exe, .bat, or .ps1 files from user-writable directories.
Dynamic Analysis Prevention
  • Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time.
  • Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.
M1042Disable or Remove Feature or Program

Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled.

Remove Legacy Software
  • Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash).
  • Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date.
Disable Unused Features
  • Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required.
  • Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue.
Control Applications Installed by Users
  • Use Case: Prevent users from installing unauthorized software via group policies or other management tools.
  • Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment.
Remove Unnecessary Services
  • Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices.
  • Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations.
Restrict Add-ons and Plugins
  • Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes.
  • Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.
M1050Exploit Protection

Deploy capabilities that detect, block, and mitigate conditions indicative of software exploits. These capabilities aim to prevent exploitation by addressing vulnerabilities, monitoring anomalous behaviors, and applying exploit-mitigation techniques to harden systems and software.

Operating System Exploit Protections
  • Use Case: Enable built-in exploit protection features provided by modern operating systems, such as Microsoft's Exploit Protection, which includes techniques like Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG).
  • Implementation: Enforce DEP for all programs and enable ASLR to randomize memory addresses used by system and application processes. Windows: Configure Exploit Protection through the Windows Security app or deploy settings via Group Policy. ExploitProtectionExportSettings.exe -path "exploit_settings.xml" Linux: Use Kernel-level hardening features like SELinux, AppArmor, or GRSEC to enforce memory protections and prevent exploits.
Third-Party Endpoint Security
  • Use Case: Use endpoint protection tools with built-in exploit protection, such as enhanced memory protection, behavior monitoring, and real-time exploit detection.
  • Implementation: Deploy tools to detect and block exploitation attempts targeting unpatched software.
Virtual Patching
  • Use Case: Use tools to implement virtual patches that mitigate vulnerabilities in applications or operating systems until official patches are applied.
  • Implementation: Use Intrusion Prevention System (IPS) to block exploitation attempts on known vulnerabilities in outdated applications.
Hardening Application Configurations
  • Use Case: Disable risky application features that can be exploited, such as macros in Microsoft Office or JScript in Internet Explorer.
  • Implementation: Configure Microsoft Office Group Policies to disable execution of macros in downloaded files.

Detection Coverage

2/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 135
Analytics (MITRE CAR) 5
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

CAR Analytics

5
MITRE Cyber Analytics Repository - field-tested detection logic for this technique, written as pseudocode/queries you adapt to your own SIEM (Splunk, Sentinel, EQL). Each is a ready starting point for a detection rule, not just a description.
CAR-2014-03-006Moderate coverageRunDLL32.exe monitoring

Adversaries may find it necessary to use Dyanamic-link Libraries (DLLs) to evade defenses. One way these DLLs can be "executed" is through the use of the built-in Windows utility RunDLL32, which allows a user to execute code in a DLL, providing the name and optional arguments to an exported entry point. Windows uses RunDll32 legitimately in its normal operation, but with a proper baseline and understanding of the environment, monitoring its usage could be fruitful.

pseudocode
process = search Process:Create
rundll32 = filter process where (exe == "rundll32.exe")
output rundll32
DNIF
_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=rundll32.exe limit 100
LogPoint
norm_id=WindowsSysmon event_id=1 image="*\rundll32.exe"
CAR-2019-04-002Low coverageGeneric Regsvr32

Regsvr32 can be used to execute arbitrary code in the context of a Windows signed binary, which can be used to bypass application whitelisting. This analytic looks for suspicious usage of the tool. It's not likely that you'll get millions of hits, but it does occur during normal activity so some form of baselining would be necessary for this to be an alerting analytic.

Alternatively, it can be used for hunt by looking for new or anomalous DLLs manually.

splunk - Main Pattern
index=__your_sysmon_data__ EventCode=1 regsvr32.exe | search ParentImage="*regsvr32.exe" AND Image!="*regsvr32.exe*"
pseudocode - Main Pattern - pseudocode
processes = search Process:Create
regsvr_processes = filter processes where (
  parent_image_path == "*regsvr32.exe" and image_path != "*regsvr32.exe*"
 )
output regsvr_processes
splunk - New items since last month
index=__your_sysmon_data__ earliest=-d@d latest=now() EventCode=1 regsvr32.exe | search ParentImage="*regsvr32.exe" AND Image!="*regsvr32.exe*" | search NOT [
search index=__your_sysmon_data__ earliest=-60d@d latest=-30d@d EventCode=1 regsvr32.exe | search ParentImage="*regsvr32.exe" AND Image!="*regsvr32.exe*" | dedup CommandLine | fields CommandLine ]
splunk - Spawning child processes
index=__your_sysmon_data__ EventCode=1 (ParentImage="C:\\Windows\\System32\\regsvr32.exe" OR ParentImage="C:\\Windows\\SysWOW64\\regsvr32.exe") AND Image!="C:\\Windows\\System32\\regsvr32.exe" AND Image!="C:\\Windows\\SysWOW64\\regsvr32.exe" AND Image!="C:\\WINDOWS\\System32\\regsvr32.exe" AND Image!="C:\\WINDOWS\\SysWOW64\\regsvr32.exe" AND Image!="C:\\Windows\\SysWOW64\\WerFault.exe" AND Image!="C:\\Windows\\System32\\wevtutil.exe" AND Image!="C:\\Windows\\System32\\WerFault.exe"|stats values(ComputerName) as "Computer Name" values(ParentCommandLine) as "Parent Command Line" count(Image) as ImageCount by Image
pseudocode - Spawning child processes - pseudocode
processes = search Process:Create
regsvr_processes = filter processes where (
  (parent_image_path == "C:\Windows\System32\regsvr32.exe" or parent_image_path == "C:\Windows\SysWOW64\regsvr32.exe") and
  image_path != "C:\Windows\System32\regsvr32.exe" and
  image_path != "C:\Windows\SysWOW64\regsvr32.exe" and
  image_path != "C:\Windows\SysWOW64\WerFault.exe" and
  image_path != "C:\Windows\System32\WerFault.exe" and
  image_path != "C:\Windows\System32\wevtutil.exe"
 )
output regsvr_processes
splunk - Loading unsigned images
index=__your_sysmon_data__ EventCode=7 (Image="C:\\Windows\\System32\\regsvr32.exe" OR Image="C:\\Windows\\SysWOW64\\regsvr32.exe") Signed=false ImageLoaded!="C:\\Program Files*" ImageLoaded!="C:\\Windows\\*"|stats values(ComputerName) as "Computer Name" count(ImageLoaded) as ImageLoadedCount by ImageLoaded
CAR-2019-04-003Moderate coverageSquiblydoo

Squiblydoo is a specific usage of regsvr32.dll to load a COM scriptlet directly from the internet and execute it in a way that bypasses application whitelisting. It can be seen by looking for regsvr32.exe executions that load the scrobj.dll (which execute the COM scriptlet) or, if that is too noisy, those that also load content directly via HTTP or HTTPS. Squiblydoo was first written up by Casey Smith at Red Canary, though that blog post is no longer accessible.

splunk
index=__your_sysmon_events__ EventCode=1 regsvr32.exe scrobj.dll | search Image="*regsvr32.exe"
EQL
process where subtype.create and
  (process_path == "*regsvr32.exe" and command_line == "*scrobj.dll")
psuedocode
processes = search Process:Create
squiblydoo_processes = filter processes where (
  image_path == "*regsvr32.exe" and command_line == "*scrobj.dll"
  )
output squiblydoo_processes
LogPoint
norm_id=WindowsSysmon event_id=1 image="*\regsvr32.exe" command="*scrobj.dll"
CAR-2020-11-009High coverageCompiled HTML Access

Adversaries may hide malicious code in .chm compiled HTML files. When these files are read, Windows uses the HTML help executable named hh.exe, which is the signature for this analytic.

Pseudocode - Pseudocode - instances of hh.exe
processes = search Process:Create
target_processes = filter processes where (exe="C:\Windows\syswow64\hh.exe" OR exe="C:\Windows\system32\hh.exe")
output target_processes
Splunk - Splunk Search - hh.exe
(index=__your_sysmon_index__ EventCode=1) (Image="C:\\Windows\\syswow64\\hh.exe" OR Image="C:\\Windows\\system32\\hh.exe")
LogPoint - LogPoint Search - hh.exe
norm_id=WindowsSysmon event_id=1 (image="C:\Windows\syswow64\hh.exe" OR image="C:\Windows\system32\hh.exe")
CAR-2020-11-010High coverageCMSTP

CMSTP.exe is the Microsoft Connection Manager Profile Installer, which can be leveraged to setup listeners that will receive and install malware from remote sources in trusted fashion. When CMSTP.exe is seen in combination with an external connection, it is a good indication of this TTP.

Pseudocode - Pseudocode - CMSTP
processes = search Process:Create
target_processes = filter processes where (
  exe="C:\Windows\System32\CMSTP.exe" AND
  src_ip NOT IN [10.0.0.0/8,192.168.0.0/16, 172.16.0.0/12] )
output target_processes
Splunk - Splunk Search - CMSTP
(index=__your_sysmon_index__ EventCode=3) Image="C:\\Windows\\System32\\CMSTP.exe" | where ((!cidrmatch("10.0.0.0/8", SourceIp) AND !cidrmatch("192.168.0.0/16", SourceIp) AND !cidrmatch("172.16.0.0/12", SourceIp))
LogPoint - LogPoint Search - CMSTP
norm_id=WindowsSysmon event_id=3 image="C:\Windows\System32\CMSTP.exe" -source_address IN HOMENET

Comply & Defend

NIST 800-53AC-02, AC-03, AC-04, AC-05, AC-06, CA-07, CM-02, CM-05, CM-06, CM-07, CM-08, CM-11, IA-02, RA-05, SC-07, SI-03, SI-04, SI-07, SI-10, SI-16
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin