Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >ATTACK
  3. >Defense Evasion
  4. >ATTACK-T1218
ATTACK-T1218Active

System Binary Proxy Execution

Statement

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.

Similarly, on Linux systems adversaries may abuse trusted binaries such as <code>split</code> to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split)

Location

Tactic
Defense Evasion

Technique Details

Identifier
ATTACK-T1218
ATT&CK Page
View on MITRE

Tactics

Defense Evasion

Platforms

WindowsLinuxmacOS

Detection

Detection of Proxy Execution via Trusted Signed Binaries Across Platforms

Mitigations

Exploit Protection: Deploy capabilities that detect, block, and mitigate conditions indicative of software exploits. These capabilities aim to prevent exploitation by addressing vulnerabilities, monitoring anomalous behaviors, and applying exploit-mitigation techniques to harden systems and software.

Operating System Exploit Protections:

  • Use Case: Enable built-in exploit protection features provided by modern operating systems, such as Microsoft's Exploit Protection, which includes techniques like Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG).
  • Implementation: Enforce DEP for all programs and enable ASLR to randomize memory addresses used by system and application processes. Windows: Configure Exploit Protection through the Windows Security app or deploy settings via Group Policy. ExploitProtectionExportSettings.exe -path "exploit_settings.xml" Linux: Use Kernel-level hardening features like SELinux, AppArmor, or GRSEC to enforce memory protections and prevent exploits.

Third-Party Endpoint Security:

  • Use Case: Use endpoint protection tools with built-in exploit protection, such as enhanced memory protection, behavior monitoring, and real-time exploit detection.
  • Implementation: Deploy tools to detect and block exploitation attempts targeting unpatched software.

Virtual Patching:

  • Use Case: Use tools to implement virtual patches that mitigate vulnerabilities in applications or operating systems until official patches are applied.
  • Implementation: Use Intrusion Prevention System (IPS) to block exploitation attempts on known vulnerabilities in outdated applications.

Hardening Application Configurations:

  • Use Case: Disable risky application features that can be exploited, such as macros in Microsoft Office or JScript in Internet Explorer.
  • Implementation: Configure Microsoft Office Group Policies to disable execution of macros in downloaded files.

Filter Network Traffic: Employ network appliances and endpoint software to filter ingress, egress, and lateral network traffic. This includes protocol-based filtering, enforcing firewall rules, and blocking or restricting traffic based on predefined conditions to limit adversary movement and data exfiltration. This mitigation can be implemented through the following measures:

Ingress Traffic Filtering:

  • Use Case: Configure network firewalls to allow traffic only from authorized IP addresses to public-facing servers.
  • Implementation: Limit SSH (port 22) and RDP (port 3389) traffic to specific IP ranges.

Egress Traffic Filtering:

  • Use Case: Use firewalls or endpoint security software to block unauthorized outbound traffic to prevent data exfiltration and command-and-control (C2) communications.
  • Implementation: Block outbound traffic to known malicious IPs or regions where communication is unexpected.

Protocol-Based Filtering:

  • Use Case: Restrict the use of specific protocols that are commonly abused by adversaries, such as SMB, RPC, or Telnet, based on business needs.
  • Implementation: Disable SMBv1 on endpoints to prevent exploits like EternalBlue.

Network Segmentation:

  • Use Case: Create network segments for critical systems and restrict communication between segments unless explicitly authorized.
  • Implementation: Implement VLANs to isolate IoT devices or guest networks from core business systems.

Application Layer Filtering:

  • Use Case: Use proxy servers or Web Application Firewalls (WAFs) to inspect and block malicious HTTP/S traffic.
  • Implementation: Configure a WAF to block SQL injection attempts or other web application exploitation techniques.

Privileged Account Management: Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through the following measures:

Account Permissions and Roles:

  • Implement RBAC and least privilege principles to allocate permissions securely.
  • Use tools like Active Directory Group Policies to enforce access restrictions.

Credential Security:

  • Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials.
  • Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).

Multi-Factor Authentication (MFA):

  • Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.

Privileged Access Management (PAM):

  • Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.

Auditing and Monitoring:

  • Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.

Just-In-Time Access:

  • Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.

Tools for Implementation

Privileged Access Management (PAM):

  • CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.

Credential Management:

  • Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.

Multi-Factor Authentication:

  • Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.

Linux Privilege Management:

  • sudo configuration, SELinux, AppArmor.

Just-In-Time Access:

  • Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.

Execution Prevention: Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures:

Application Control:

  • Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution.
  • Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml")

Script Blocking:

  • Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources.
  • Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., Set-ExecutionPolicy AllSigned)

Executable Blocking:

  • Use Case: Prevent execution of binaries from suspicious locations, such as %TEMP% or %APPDATA% directories.
  • Implementation: Block execution of .exe, .bat, or .ps1 files from user-writable directories.

Dynamic Analysis Prevention:

  • Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time.
  • Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.

Disable or Remove Feature or Program: Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled. This mitigation can be implemented through the following measures:

Remove Legacy Software:

  • Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash).
  • Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date.

Disable Unused Features:

  • Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required.
  • Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue.

Control Applications Installed by Users:

  • Use Case: Prevent users from installing unauthorized software via group policies or other management tools.
  • Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment.

Remove Unnecessary Services:

  • Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices.
  • Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations.

Restrict Add-ons and Plugins:

  • Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes.
  • Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.

Restrict Web-Based Content: Restricting web-based content involves enforcing policies and technologies that limit access to potentially malicious websites, unsafe downloads, and unauthorized browser behaviors. This can include URL filtering, download restrictions, script blocking, and extension control to protect against exploitation, phishing, and malware delivery. This mitigation can be implemented through the following measures:

Deploy Web Proxy Filtering:

  • Use solutions to filter web traffic based on categories, reputation, and content types.
  • Enforce policies that block unsafe websites or file types at the gateway level.

Enable DNS-Based Filtering:

  • Implement tools to restrict access to domains associated with malware or phishing campaigns.
  • Use public DNS filtering services to enhance protection.

Enforce Content Security Policies (CSP):

  • Configure CSP headers on internal and external web applications to restrict script execution, iframe embedding, and cross-origin requests.

Control Browser Features:

  • Disable unapproved browser features like automatic downloads, developer tools, or unsafe scripting.
  • Enforce policies through tools like Group Policy Management to control browser settings.

Monitor and Alert on Web-Based Threats:

  • Use SIEM tools to collect and analyze web proxy logs for signs of anomalous or malicious activity.
  • Configure alerts for access attempts to blocked domains or repeated file download failures.
SP 800-53
SP800-53-AC-2relatedvia ctid-attack-to-sp800-53
SP800-53-AC-3relatedvia ctid-attack-to-sp800-53
SP800-53-AC-5relatedvia ctid-attack-to-sp800-53
SP800-53-AC-6relatedvia ctid-attack-to-sp800-53
SP800-53-CA-7relatedvia ctid-attack-to-sp800-53
View in graphReport an issue
← Back to Defense Evasion
Defense Evasion183 controls
ATTACK-T1006Direct Volume AccessATTACK-T1014RootkitATTACK-T1027Obfuscated Files or InformationATTACK-T1027.001Binary PaddingATTACK-T1027.002Software PackingATTACK-T1027.003SteganographyATTACK-T1027.004Compile After DeliveryATTACK-T1027.005Indicator Removal from ToolsATTACK-T1027.006HTML SmugglingATTACK-T1027.007Dynamic API ResolutionATTACK-T1027.008Stripped PayloadsATTACK-T1027.009Embedded PayloadsATTACK-T1027.010Command ObfuscationATTACK-T1027.011Fileless StorageATTACK-T1027.012LNK Icon SmugglingATTACK-T1027.013Encrypted/Encoded FileATTACK-T1027.014Polymorphic CodeATTACK-T1027.015CompressionATTACK-T1027.016Junk Code InsertionATTACK-T1027.017SVG SmugglingATTACK-T1036MasqueradingATTACK-T1036.001Invalid Code SignatureATTACK-T1036.002Right-to-Left OverrideATTACK-T1036.003Rename Legitimate UtilitiesATTACK-T1036.004Masquerade Task or ServiceATTACK-T1036.005Match Legitimate Resource Name or LocationATTACK-T1036.006Space after FilenameATTACK-T1036.007Double File ExtensionATTACK-T1036.008Masquerade File TypeATTACK-T1036.009Break Process TreesATTACK-T1036.010Masquerade Account NameATTACK-T1036.011Overwrite Process ArgumentsATTACK-T1036.012Browser FingerprintATTACK-T1055Process InjectionATTACK-T1055.001Dynamic-link Library InjectionATTACK-T1055.002Portable Executable InjectionATTACK-T1055.003Thread Execution HijackingATTACK-T1055.004Asynchronous Procedure CallATTACK-T1055.005Thread Local StorageATTACK-T1055.008Ptrace System CallsATTACK-T1055.009Proc MemoryATTACK-T1055.011Extra Window Memory InjectionATTACK-T1055.012Process HollowingATTACK-T1055.013Process DoppelgängingATTACK-T1055.014VDSO HijackingATTACK-T1055.015ListPlantingATTACK-T1070Indicator RemovalATTACK-T1070.001Clear Windows Event LogsATTACK-T1070.002Clear Linux or Mac System LogsATTACK-T1070.003Clear Command HistoryATTACK-T1070.004File DeletionATTACK-T1070.005Network Share Connection RemovalATTACK-T1070.006TimestompATTACK-T1070.007Clear Network Connection History and ConfigurationsATTACK-T1070.008Clear Mailbox DataATTACK-T1070.009Clear PersistenceATTACK-T1070.010Relocate MalwareATTACK-T1078Valid AccountsATTACK-T1078.001Default AccountsATTACK-T1078.002Domain AccountsATTACK-T1078.003Local AccountsATTACK-T1078.004Cloud AccountsATTACK-T1112Modify RegistryATTACK-T1127Trusted Developer Utilities Proxy ExecutionATTACK-T1127.001MSBuildATTACK-T1127.002ClickOnceATTACK-T1127.003JamPlusATTACK-T1134Access Token ManipulationATTACK-T1134.001Token Impersonation/TheftATTACK-T1134.002Create Process with TokenATTACK-T1134.003Make and Impersonate TokenATTACK-T1134.004Parent PID SpoofingATTACK-T1134.005SID-History InjectionATTACK-T1140Deobfuscate/Decode Files or InformationATTACK-T1197BITS JobsATTACK-T1202Indirect Command ExecutionATTACK-T1205Traffic SignalingATTACK-T1205.001Port KnockingATTACK-T1205.002Socket FiltersATTACK-T1207Rogue Domain ControllerATTACK-T1211Exploitation for Defense EvasionATTACK-T1216System Script Proxy ExecutionATTACK-T1216.001PubPrnATTACK-T1216.002SyncAppvPublishingServerATTACK-T1218System Binary Proxy ExecutionATTACK-T1218.001Compiled HTML FileATTACK-T1218.002Control PanelATTACK-T1218.003CMSTPATTACK-T1218.004InstallUtilATTACK-T1218.005MshtaATTACK-T1218.007MsiexecATTACK-T1218.008OdbcconfATTACK-T1218.009Regsvcs/RegasmATTACK-T1218.010Regsvr32ATTACK-T1218.011Rundll32ATTACK-T1218.012VerclsidATTACK-T1218.013MavinjectATTACK-T1218.014MMCATTACK-T1218.015Electron ApplicationsATTACK-T1220XSL Script ProcessingATTACK-T1221Template InjectionATTACK-T1222File and Directory Permissions ModificationATTACK-T1222.001Windows File and Directory Permissions ModificationATTACK-T1222.002Linux and Mac File and Directory Permissions ModificationATTACK-T1480Execution GuardrailsATTACK-T1480.001Environmental KeyingATTACK-T1480.002Mutual ExclusionATTACK-T1484Domain or Tenant Policy ModificationATTACK-T1484.001Group Policy ModificationATTACK-T1484.002Trust ModificationATTACK-T1497Virtualization/Sandbox EvasionATTACK-T1497.001System ChecksATTACK-T1497.002User Activity Based ChecksATTACK-T1497.003Time Based ChecksATTACK-T1535Unused/Unsupported Cloud RegionsATTACK-T1542Pre-OS BootATTACK-T1542.004ROMMONkitATTACK-T1542.005TFTP BootATTACK-T1548.006TCC ManipulationATTACK-T1550Use Alternate Authentication MaterialATTACK-T1550.001Application Access TokenATTACK-T1550.002Pass the HashATTACK-T1550.003Pass the TicketATTACK-T1550.004Web Session CookieATTACK-T1553Subvert Trust ControlsATTACK-T1553.001Gatekeeper BypassATTACK-T1553.002Code SigningATTACK-T1553.003SIP and Trust Provider HijackingATTACK-T1553.004Install Root CertificateATTACK-T1553.005Mark-of-the-Web BypassATTACK-T1553.006Code Signing Policy ModificationATTACK-T1562Impair DefensesATTACK-T1562.001Disable or Modify ToolsATTACK-T1562.002Disable Windows Event LoggingATTACK-T1562.003Impair Command History LoggingATTACK-T1562.004Disable or Modify System FirewallATTACK-T1562.006Indicator BlockingATTACK-T1562.007Disable or Modify Cloud FirewallATTACK-T1562.008Disable or Modify Cloud LogsATTACK-T1562.009Safe Mode BootATTACK-T1562.010Downgrade AttackATTACK-T1562.011Spoof Security AlertingATTACK-T1562.012Disable or Modify Linux Audit SystemATTACK-T1562.013Disable or Modify Network Device FirewallATTACK-T1564Hide ArtifactsATTACK-T1564.001Hidden Files and DirectoriesATTACK-T1564.002Hidden UsersATTACK-T1564.003Hidden WindowATTACK-T1564.004NTFS File AttributesATTACK-T1564.005Hidden File SystemATTACK-T1564.006Run Virtual InstanceATTACK-T1564.007VBA StompingATTACK-T1564.008Email Hiding RulesATTACK-T1564.009Resource ForkingATTACK-T1564.010Process Argument SpoofingATTACK-T1564.011Ignore Process InterruptsATTACK-T1564.012File/Path ExclusionsATTACK-T1564.013Bind MountsATTACK-T1564.014Extended AttributesATTACK-T1578Modify Cloud Compute InfrastructureATTACK-T1578.001Create SnapshotATTACK-T1578.002Create Cloud InstanceATTACK-T1578.003Delete Cloud InstanceATTACK-T1578.004Revert Cloud InstanceATTACK-T1578.005Modify Cloud Compute ConfigurationsATTACK-T1599Network Boundary BridgingATTACK-T1599.001Network Address Translation TraversalATTACK-T1600Weaken EncryptionATTACK-T1600.001Reduce Key SpaceATTACK-T1600.002Disable Crypto HardwareATTACK-T1601Modify System ImageATTACK-T1601.001Patch System ImageATTACK-T1601.002Downgrade System ImageATTACK-T1610Deploy ContainerATTACK-T1612Build Image on HostATTACK-T1620Reflective Code LoadingATTACK-T1622Debugger EvasionATTACK-T1647Plist File ModificationATTACK-T1656ImpersonationATTACK-T1666Modify Cloud Resource HierarchyATTACK-T1672Email SpoofingATTACK-T1678Delay ExecutionATTACK-T1679Selective Exclusion