Overview
System Binary Proxy Execution leverages legitimate Windows binaries (e.g., rundll32.exe, mshta.exe) to execute malicious code. These binaries are trusted by the OS, allowing attackers to bypass security controls like antivirus and application whitelisting by using these tools to proxy malicious actions.
Historical Context
This technique gained prominence as security defenses improved. Traditional malware detection focused on identifying unauthorized executables. As a result, attackers shifted to using system binaries, which are inherently trusted, making their activities blend seamlessly into legitimate system operations.
Role in Bypassing Security
System binaries, being part of the OS, are often overlooked by security tools. By using these binaries to execute code, attackers can evade detection, maintain persistence, and escalate privileges. This makes System Binary Proxy Execution a critical tactic for sophisticated attacks, particularly in environments with stringent security controls.
System binaries are executable files that are integral to an operating system’s functionality. These binaries, such as cmd.exe
, powershell.exe
, and rundll32.exe
, are inherently trusted and often run with high privileges. Due to their critical role, they are less scrutinized by security mechanisms, making them attractive targets for attackers looking to execute malicious code stealthily.
Common System Binaries
- cmd.exe: A command-line interpreter used to execute system commands, batch files, and scripts. It provides a direct interface to the operating system’s core functions.
- powershell.exe: A powerful scripting environment and command-line shell that offers deep integration with Windows OS, allowing for complex scripting and automation tasks.
- rundll32.exe: A utility used to load and execute functions from DLLs (Dynamic Link Libraries). It is designed to run DLL-based code that doesn’t have its own executable.
Proxy Execution with System Binary
Proxy Execution refers to the technique where attackers execute malicious code indirectly by using trusted system binaries. The primary goal of proxy execution is to bypass security controls by hiding the execution of malicious code under the guise of a legitimate, trusted process. This technique leverages the trust inherently placed in system binaries by security solutions, allowing attackers to blend malicious activities with normal system operations.
Common Techniques for Proxy Execution Using System Binaries
- Living Off the Land Binaries (LOLBins):
– Description: Attackers use native, pre-installed system binaries to carry out malicious activities. Since these binaries are already present and trusted by the system, they can be used to proxy the execution of malicious code.
– Examples: Using rundll32.exe
to execute DLLs, or mshta.exe
to run HTML applications that contain malicious scripts.
- Indirect Command Execution:
– Description: This technique involves using system binaries like cmd.exe
or powershell.exe
to execute commands that ultimately run the attacker’s code. The malicious payload is executed indirectly, often by scripting or command chaining.
– Example Technique: Attackers might chain commands using cmd.exe
to invoke PowerShell, which then executes a downloaded script or payload.
- Reflective DLL Injection via rundll32.exe:
– Description: rundll32.exe
is used to execute functions within a DLL that the attacker controls. This technique is particularly useful for executing code in memory without writing to disk, which helps evade detection.
– Example Technique: Reflective DLL injection where rundll32.exe
loads a DLL that is specifically crafted to run in the context of a legitimate process, thereby hiding malicious activities.
- Script-Based Execution with powershell.exe:
– Description: PowerShell scripts are used to execute malicious code directly from memory, avoiding detection by traditional file-based security measures. PowerShell’s deep integration with Windows makes it a powerful tool for proxy execution.
– Example Technique: Fileless malware attacks where PowerShell downloads and runs code directly in memory, avoiding any footprint on the disk.
- Abusing Trusted Service Processes:
– Description: System binaries associated with trusted services are manipulated to execute malicious payloads. These binaries can act as a proxy for the attacker’s code, often by loading malicious scripts or DLLs.
– Example Technique: Using svchost.exe
, a service host process, to load and execute malicious service DLLs, hiding the attack under the context of a legitimate service.
Techniques and Methods
There are many techniques and methods available using land binaries.
Cmd.exe
- Command execution: cmd.exe can be used to execute arbitrary commands using /c switch.
- Alternative stream: cmd.exe can be used to insert content into alternate data streams and execute them afterwards.
Powershell.exe
- Command execution: powershell.exe switch ‘/c’ can be used to execute commands. Note that while it is used in cmd itself, the command executed will not be logged in the powershell history file.
Rundll32.exe
- DLL execution: rundll32.exe can be used to execute DLL exported functions.
Others
- SSH: SSH utility can be used to execute commands:
- FTP
- WorkFolders: executes control.exe in the current working directory
- Pcwrun.exe
- Stordiag.exe: if stordiag.exe is copied to a folder, it’ll execute schtasks.exe, systeminfo.exe, and fitmc.exe if they exists in the same folder.
Anti-Virus Evasion with Proxy Execution
- Methods to Evade Anti-Virus Detection:
– Proxy Execution: Use trusted system binaries to execute malicious payloads, bypassing signature-based defenses.
– Examples: powershell.exe
, cmd.exe
, rundll32.exe
, and mshta.exe
can execute scripts or payloads while evading detection.
– Techniques: Obfuscate payloads, use in-memory execution, and leverage trusted binaries to avoid file-based scans.
- Real-World Examples and Case Studies:
– Example: An attacker uses mshta.exe
(T1218.005) to execute a malicious HTA file, which bypasses traditional anti-virus checks because mshta.exe
is a trusted system binary.
– Case Study: In 2017, a campaign used rundll32.exe
(T1218.011) to load a malicious DLL, evading detection by utilizing a trusted Windows binary to execute payloads.
Application Whitelisting Bypass with Proxy Execution
- Techniques to Bypass Application Whitelisting Controls:
– Exploitation of Trusted Binaries: Utilize signed system binaries to execute malicious commands or payloads that bypass whitelisting controls.
– Examples: regsvr32.exe
(T1218.010) and msiexec.exe
(T1218.007) are commonly used to execute payloads while appearing as trusted operations.
- Strategies:
– Leverage Signed Binaries: Run payloads or scripts using trusted binaries to circumvent application whitelisting.
– Example: Use msiexec.exe
to execute a malicious MSI package that bypasses whitelisting controls due to the trust in msiexec.exe
.
Logging and Monitoring Evasion with Proxy Exectution
- Tactics to Evade Logging and Monitoring:
– Process Injection: Inject malicious code into trusted processes to avoid detection.
– Examples: Use rundll32.exe
(T1218.011) or regsvr32.exe
(T1218.010) to load malicious DLLs without creating new, suspicious processes.
- Examples of Blending Malicious Activities:
– Example: An attacker uses regsvr32.exe
to execute a payload in memory, which avoids logging by not creating new files or processes that would trigger monitoring alerts.
Tooling and Frameworks for System Binary Proxy Execution
Popular Tools
- Metasploit Framework:
– Overview: A penetration testing framework with modules for exploiting vulnerabilities using system binaries.
– Use: Delivers payloads via trusted binaries like rundll32.exe
or PowerShell.
– Example: Uses the persistence
module to set up a backdoor through rundll32.exe
.
- Cobalt Strike:
– Overview: Advanced threat emulation tool known for its stealth and evasion.
– Use: Executes payloads using beacons through trusted binaries like powershell.exe
.
– Example: Injects beacons into processes like explorer.exe
for stealthy lateral movement.
- Custom Scripts and Payloads:
– Overview: Tailored scripts designed to evade detection by leveraging system binaries.
– Use: Executes payloads through binaries like cmd.exe
or mshta.exe
.
– Example: Uses rundll32.exe
to load a DLL directly from memory.
Development of Custom Tools
- Understand the Environment:
– Approach: Identify available system binaries and security controls through reconnaissance.
- Leverage Trusted System Binaries:
– Approach: Develop scripts using trusted binaries like powershell.exe
or cmd.exe
, ensuring they are obfuscated and encrypted.
- In-Memory Execution:
– Approach: Utilize reflective DLL injection or shellcode to execute directly in memory, avoiding file-based detection.
- Obfuscation and Encryption:
– Approach: Apply obfuscation and encryption to evade static analysis by security software.
- Testing and Iteration:
– Approach: Test tools in virtual environments mimicking the target system’s security setup to refine evasion techniques.
Advanced Techniques
Attackers and red teamers may chain together living off the land binaries to perform sophisticated attacks.
Initial Access & Execution
- LoLBins: mshta.exe, powershell.exe, rundll32.exe
- Tactic: Phishing email triggers mshta.exe to run a remote script, invoking powershell.exe to download and execute a payload or rundll32.exe to run a malicious DLL.
Privilege Escalation
- LoLBins: schtasks.exe, cmd.exe, regsvr32.exe
- Tactic: Use schtasks.exe to create high-privilege tasks, cmd.exe to run commands, and regsvr32.exe to execute malicious scripts via COM objects.
Defense Evasion
- LoLBins: sdbinst.exe, reg.exe, certutil.exe
- Tactic: Use sdbinst.exe to bypass UAC, reg.exe to disable security, and certutil.exe to download payloads undetected.
Persistence
- LoLBins: wscript.exe, wmic.exe, msiexec.exe
- Tactic: Use wscript.exe for startup scripts, wmic.exe for system manipulation, and msiexec.exe to install persistent malicious packages.
Lateral Movement
- LoLBins: psexec.exe, netsh.exe, dllhost.exe
- Tactic: Use psexec.exe for remote execution, netsh.exe for network configuration, and dllhost.exe to run COM objects across systems.
Data Exfiltration
- LoLBins: bitsadmin.exe, ftp.exe, robocopy.exe
- Tactic: Use bitsadmin.exe for covert data transfer, ftp.exe for FTP uploads, and robocopy.exe to move data to attacker-controlled shares.
Real-World Scenario: SolarWinds Attack by APT29 (2020)
Attack Chain:
- LoLBins: powershell.exe, mshta.exe, certutil.exe
- Tactic: APT29 (Cozy Bear) used mshta.exe and powershell.exe for initial compromise via infected software updates in the SolarWinds attack. They used certutil.exe to download malicious payloads, avoiding detection.
Impact:
- Massive Breach: Over 18,000 organizations, including U.S. government agencies, were compromised. Attackers remained undetected for months, showcasing LoLBins’ effectiveness in evading security measures.
Defensive Measures Against Proxy Execution Attacks
- Disable/Remove Unnecessary Features (M1042): Remove or disable non-essential binaries to reduce the attack surface.
- Execution Prevention (M1038): Use application whitelisting to block execution of vulnerable binaries.
- Exploit Protection (M1050): Apply EMET/ASR to block methods that exploit trusted binaries.
- Filter Network Traffic (M1037): Implement network filtering to block suspicious traffic from binaries like
powershell.exe
. - Privileged Account Management (M1026): Restrict binary execution to privileged users only.
- Restrict Web-Based Content (M1021): Block access to harmful web content to prevent exploitation via web-based scripts.