T1218 — System Binary Proxy Execution

Technique

T1218

Tactics

Stealth

MISP citations

0

KEV CVEs mapped

2

Community rules

153

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1218

MITRE description

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands. Similarly, on Linux systems adversaries may abuse trusted binaries such as <code>split</code> to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split)

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2021-44077
• CVE-2021-40539

Detection coverage

SigmaHQ community rules

• Potential Devil Bait Malware Reconnaissance (emerging-threats)
• Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE (emerging-threats)
• Potential Compromised 3CXDesktopApp Execution (emerging-threats)
• Potential Suspicious Child Process Of 3CXDesktopApp (emerging-threats)
• Potential Compromised 3CXDesktopApp Update Activity (emerging-threats)
• Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load (emerging-threats)
• Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access (emerging-threats)
• Potential Exploitation of RCE Vulnerability CVE-2025-33053 (emerging-threats)
• Dllhost.EXE Initiated Network Connection To Non-Local IP Address (threat-hunting)
• Diskshadow Child Process Spawned (threat-hunting)
• Diskshadow Script Mode Execution (threat-hunting)
• Potential Proxy Execution Via Explorer.EXE From Shell Process (threat-hunting)
• Potential DLL Sideloading Activity Via ExtExport.EXE (threat-hunting)
• New Self Extracting Package Created Via IExpress.EXE (threat-hunting)
• Microsoft Workflow Compiler Execution (threat-hunting)
• Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly (threat-hunting)
• Rundll32.EXE Calling DllRegisterServer Export Function Explicitly (threat-hunting)
• Arbitrary Command Execution Using WSL (threat-hunting)
• Hidden Flag Set On File/Directory Via Chflags - MacOS (core)
• MSI Installation From Web (core)
• Suspicious DotNET CLR Usage Log Artifact (core)
• Self Extraction Directive File Created In Potentially Suspicious Location (core)
• Created Files by Microsoft Sync Center (core)
• Legitimate Application Dropped Archive (core)
• Legitimate Application Dropped Executable (core)

Showing 25 of 153 community rules — the full set is tagged attack.t1218 in SigmaHQ.

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.