MITRE ATT&CK – T1218: Signed Binary Proxy Execution
Written By: Austin Miller
Signed binaries are at the heart of secure practices, with digital certificates giving us clear signs as to what we can trust and what we cannot. Using digital certificate validation and application controls to tighten up security is a top concern on all operating systems, but Windows seems to be disproportionately targeted by adversaries proxying commands through signed processes, according to recent research.
32,133 malware samples (forming a total 16% of all samples analyzed) were found to use Signed Binary Proxy Execution, according to the Red Report. As a form of Living off the Land attack (LotL), a special subcategory has been created to describe the use of legitimate binaries to evade the standard defenses – Living off the Land binaries, or LOLBins. This tactic is used by the adversary to circumvent otherwise trustworthy services, but how exactly does it work?
What is Signed Binary Proxy Execution?
At its heart, this type of tactic relies on the use of legitimate digital certificates to obscure a command or executable which is not trusted by the potential target machine. By hiding the command or executable in a legitimate executable (i.e., a signed and trusted one), the adversary can leverage the implicit trust that machines give to signed processes to circumvent conventional defensive practices.
Having been updated in July 2020, the MITRE ATT&CK framework lists a number of ways in which the adversary can approach Signed Binary Proxy Execution. The principle that unites them all is hiding malicious processes under the guise of a legitimate certificate – something that will almost certainly trick a human, but is quickly becoming less effective against modern defenses.
How does the adversary use Signed Binary Proxy Execution?
The MITRE ATT&CK Framework lists thirteen ways in which the adversary weaponizes Signed Binary Proxy Execution:
- T1218.001 – Compiled HTML File
- T1218.002 – Control Panel
- T1218.003 – CMSTP
- T1218.004 – InstallUtil
- T1218.005 – Mshta
- T1218.006 – Msiexec
- T1218.007 – Odbcconf
- T1218.008 – Regsvcs/Regasm
- T1218.009 – Regsvr32
- T1218.010 – Rundll32
- T1218.011 – Verclsid
- T1218.012 – Mavinject
- T1218.013 – MMC
Because the list is long and in-depth, we are only covering the two most likely to infiltrate a system and cause damage, each of which has multiple subdomains.
T1218.001 – Compiled HTML File
Using a collection of HTML pages in the form of a Compiled HTML File (.CHM) is a favorite technique that the adversary leverages in these types of attacks. Because .CHMs can be made up of a variety of file types such as ActiveX, Java, JScript, VBA, and HTML image types as well as the inconsistent way in which organizations interpret them, various threat groups have made these attacks central to their malware.
Due to differences in how organizations deal with .CHM files, the adversary has two attack plans for this tactic:
Bypassing email content filters
Because many organizations do not view .CHM files as executables, incoming emails quickly become a dangerous area for cybersecurity professionals who are being targeted with Signed Binary Proxy Execution attacks. Because they are generally not added to a blacklist or possibly even flagged by convention email filtering software, malware such as the Masslogger Trojan and DeathStalker easily evaded email security controls that filtered on attachment name/type.
Bypassing device guard user mode code integrity (UMCI)
Although largely restricted to older versions of Windows, threat actors used the HTML help executable (or hh.exe) to automatically launch malware when a .CHM file was launched with the Help Viewer. Because the Help Viewer automatically launches the file when hh.exe is invoked, the threat actors used this attack vector to poison webpages or attachments on emails.
As of Windows 10, this vulnerability now launches a Windows Security Warning prompt when suspicious files are found instead of automatically launching.
T1218.002 – Control Panel
As all Control Panel items are dynamic link libraries (.dll) or executables, the adversary has a field day running hidden files through the Control Panel process binary – control.exe. By leveraging .dll, .exe, or the Control Panel unique .cpl files, proxy execution can be achieved in three ways:
Executing DLL files with .cpl extensions through the Registry
On launch, the Control Panel consults the Registry to load the following:
- HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\CPLs
- HKLU\Software\Microsoft\Windows\CurrentVersion\Control Panel\CPLs
If an adversary can access the second registry location – which is possible for all regular users – they can write a key in the registry that loads and executes malicious code when the Control Panel is executed. An example piece of code could look like this:
reg add “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls”
/v payload.cpl /t REG_SZ /d “C:\payload.cpl”
In this case, payload.cpl is automatically launched when the Control Panel is executed through the DllEntryPoint.
Executing DLL files stored in ADS
Accessing the command line on a Windows system allows a malicious .dll file to be launched through the control panel through inputting something like this:
This happens because the “evil.dll” file is embedded and hidden in the Alternate Data Stream (ADS), allowing a workaround.
Bypassing file extension whitelists
Phishing and multi-stage malware attacks have used malicious Control Panel items to evade file extension allows lists through email filters and other basic security controls by disguising DLL files with a .cpl extension. When the user executes the obfuscated file, Windows launches control.exe. This gives the malware access to the Control Panel and starts up the CPIApplet function.
How do I defend my organization against Signed Binary Proxy Execution?
Although we did not have the space to analyze each tactic in detail, this insight into T1218.001 and T1218.002 should give you a taster of the kind of defensive action you need to take to stop Signed Binary Proxy Execution affecting your business. The following defensive techniques are offered in the MITRE ATT&CK framework:
M1026 – Privileged Account Management
M1038 – Execution Prevention
M1042 – Disable or Remove Feature of Program
M1050 – Exploit Protection