Which SIEM platforms have a T1218 detection rule?

df00tech provides T1218 (System Binary Proxy Execution) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect System Binary Proxy Execution (T1218)?

Detecting System Binary Proxy Execution requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1218 detection?

The T1218 detection is rated high severity with high confidence.

What are common false positives for T1218?

Common false positives for T1218 include: Legitimate software installers using msiexec.exe or installutil.exe during application deployment; Administrative scripts and IT management tools (SCCM, PDQ Deploy) invoking rundll32.exe or regsvr32.exe for component registration; Corporate HTA-based applications (legacy web apps, admin dashboards) legitimately executed via mshta.exe.

T1218

System Binary Proxy Execution

Defense Evasion Last updated: April 13, 2026

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system. Several Microsoft-signed binaries that are default on Windows installations can be used to proxy execution of other files or commands. Sub-techniques include abuse of mshta.exe, rundll32.exe, regsvr32.exe, msiexec.exe, cmstp.exe, installutil.exe, regsvcs.exe, regasm.exe, odbcconf.exe, verclsid.exe, mavinject.exe, control.exe (Control Panel), compiled HTML files (hh.exe), MMC snap-ins, Electron applications, and wuauclt.exe. On Linux, trusted binaries such as split may be abused similarly. Real-world usage includes Lazarus Group abusing wuauclt.exe to execute malicious DLLs and Volt Typhoon broadly leveraging LOLBins to maintain and expand network access.

What is T1218 System Binary Proxy Execution?

System Binary Proxy Execution (T1218) maps to the Defense Evasion tactic — the adversary is trying to avoid being detected in MITRE ATT&CK.

This page provides production-ready detection logic for System Binary Proxy Execution, covering the data sources and telemetry it touches: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated high severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Defense Evasion
Technique: T1218 System Binary Proxy Execution
Canonical reference: https://attack.mitre.org/techniques/T1218/

Microsoft Sentinel / Defender

kusto

let LOLBins = dynamic([
  "mshta.exe", "rundll32.exe", "regsvr32.exe", "msiexec.exe",
  "cmstp.exe", "installutil.exe", "regsvcs.exe", "regasm.exe",
  "odbcconf.exe", "verclsid.exe", "mavinject.exe",
  "hh.exe", "wuauclt.exe", "mmc.exe", "xwizard.exe",
  "syncappvpublishingserver.exe", "appsyncpublishingserver.exe"
]);
let SuspiciousParents = dynamic([
  "winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe",
  "onenote.exe", "msaccess.exe", "mspub.exe", "visio.exe",
  "wscript.exe", "cscript.exe", "mshta.exe", "cmd.exe",
  "powershell.exe", "pwsh.exe", "explorer.exe"
]);
let SuspiciousNetworkLOLBins = dynamic([
  "mshta.exe", "regsvr32.exe", "rundll32.exe", "msiexec.exe", "cmstp.exe"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (LOLBins)
| extend IsOfficeParent = InitiatingProcessFileName in~ (SuspiciousParents)
| extend HasRemoteURL = ProcessCommandLine has_any ("http://", "https://", "ftp://", "\\\\")
| extend HasComScript = ProcessCommandLine has_any (".sct", ".hta", ".vbs", ".js", ".wsf", ".dll,", ".ocx")
| extend RegSvr32Bypass = (FileName =~ "regsvr32.exe" and ProcessCommandLine has_any ("/s", "/u", "/i:", "scrobj"))
| extend MshtaHta = (FileName =~ "mshta.exe" and ProcessCommandLine has_any (".hta", "javascript:", "vbscript:"))
| extend RunDll32Sus = (FileName =~ "rundll32.exe" and (ProcessCommandLine has_any ("javascript:", "shell32.dll", "advpack.dll", "ieadvpack.dll", "syssetup.dll") or ProcessCommandLine matches regex @"rundll32\.exe\s+[^,]+,(\w+)"))
| extend CMSTPInf = (FileName =~ "cmstp.exe" and ProcessCommandLine has_any ("/s", "/ns", ".inf"))
| extend InstallUtilBypass = (FileName =~ "installutil.exe" and ProcessCommandLine has_any ("/logfile=", "/LogToConsole=", "/U"))
| extend WuaucltDll = (FileName =~ "wuauclt.exe" and ProcessCommandLine has_any ("UpdateDeploymentProvider", "/UpdateDeploymentProvider"))
| extend OdbcConfRSP = (FileName =~ "odbcconf.exe" and ProcessCommandLine has_any ("/a", "-a", "regsvr", ".rsp"))
| extend SuspicionScore = toint(IsOfficeParent) + toint(HasRemoteURL) + toint(HasComScript)
    + toint(RegSvr32Bypass) + toint(MshtaHta) + toint(RunDll32Sus)
    + toint(CMSTPInf) + toint(InstallUtilBypass) + toint(WuaucltDll) + toint(OdbcConfRSP)
| where SuspicionScore > 0
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsOfficeParent, HasRemoteURL, HasComScript, RegSvr32Bypass,
         MshtaHta, RunDll32Sus, CMSTPInf, InstallUtilBypass, WuaucltDll, OdbcConfRSP,
         SuspicionScore
| sort by SuspicionScore desc, Timestamp desc

Detects abuse of trusted Windows system binaries (LOLBins) for proxy execution, covering the full T1218 parent technique and its sub-techniques. Monitors DeviceProcessEvents for known Living Off The Land Binaries executing with suspicious command-line patterns including remote URL references, COM script payloads, Regsvr32 /i scrobj bypasses, MSHTA HTA/JavaScript execution, RunDll32 JavaScript, CMSTP INF sideloading, InstallUtil CLR bypass, wuauclt.exe DLL loading, and odbcconf RSP file execution. A suspicion score aggregates multiple indicators to reduce false positives.

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate software installers using msiexec.exe or installutil.exe during application deployment
Administrative scripts and IT management tools (SCCM, PDQ Deploy) invoking rundll32.exe or regsvr32.exe for component registration
Corporate HTA-based applications (legacy web apps, admin dashboards) legitimately executed via mshta.exe
VPN and security software installers using cmstp.exe to configure connection profiles during initial setup
Windows Update processes legitimately invoking wuauclt.exe as part of the update delivery mechanism

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\mshta.exe" OR Image="*\\rundll32.exe" OR Image="*\\regsvr32.exe"
   OR Image="*\\msiexec.exe" OR Image="*\\cmstp.exe" OR Image="*\\installutil.exe"
   OR Image="*\\regsvcs.exe" OR Image="*\\regasm.exe" OR Image="*\\odbcconf.exe"
   OR Image="*\\verclsid.exe" OR Image="*\\mavinject.exe" OR Image="*\\hh.exe"
   OR Image="*\\wuauclt.exe" OR Image="*\\mmc.exe" OR Image="*\\xwizard.exe")
| eval CommandLine=lower(CommandLine)
| eval ParentImage=lower(ParentImage)
| eval IsOfficeParent=if(match(ParentImage, "(winword|excel|powerpnt|outlook|onenote|msaccess|mspub|visio|wscript|cscript)\.exe"), 1, 0)
| eval HasRemoteURL=if(match(CommandLine, "(http://|https://|ftp://)"), 1, 0)
| eval HasComScript=if(match(CommandLine, "(\.sct|\.hta|\.vbs|\.wsf|\.js|scrobj|,\s*[a-z])"), 1, 0)
| eval RegSvr32Bypass=if(match(Image, "regsvr32\.exe") AND match(CommandLine, "(/s|/u|/i:|scrobj|sct)"), 1, 0)
| eval MshtaSus=if(match(Image, "mshta\.exe") AND match(CommandLine, "(\.hta|javascript:|vbscript:)"), 1, 0)
| eval RunDll32Sus=if(match(Image, "rundll32\.exe") AND match(CommandLine, "(javascript:|shell32|advpack|ieadvpack|syssetup)"), 1, 0)
| eval CMSTPInf=if(match(Image, "cmstp\.exe") AND match(CommandLine, "(/s|/ns|\.inf)"), 1, 0)
| eval InstallUtilBypass=if(match(Image, "installutil\.exe") AND match(CommandLine, "(/logfile=|/logtoconsole=|/u)"), 1, 0)
| eval WuaucltDll=if(match(Image, "wuauclt\.exe") AND match(CommandLine, "(updatedeploymentprovider)"), 1, 0)
| eval OdbcConfRSP=if(match(Image, "odbcconf\.exe") AND match(CommandLine, "(/a|-a|regsvr|\.rsp)"), 1, 0)
| eval SuspicionScore=IsOfficeParent + HasRemoteURL + HasComScript + RegSvr32Bypass + MshtaSus + RunDll32Sus + CMSTPInf + InstallUtilBypass + WuaucltDll + OdbcConfRSP
| where SuspicionScore > 0
| eval LOLBin=mvindex(split(Image, "\\"), -1)
| table _time, host, User, LOLBin, CommandLine, ParentImage, ParentCommandLine,
        IsOfficeParent, HasRemoteURL, RegSvr32Bypass, MshtaSus, RunDll32Sus,
        CMSTPInf, InstallUtilBypass, WuaucltDll, OdbcConfRSP, SuspicionScore
| sort - SuspicionScore, - _time

Detects LOLBin proxy execution across the T1218 technique family using Sysmon Event ID 1 (Process Creation). Monitors for known trusted Windows binaries invoked with suspicious arguments: Regsvr32 scrobj/SCT loading, MSHTA with HTA or inline JavaScript/VBScript, RunDll32 with JavaScript or known bypass DLLs, CMSTP with INF sideloading, InstallUtil CLR bypass flags, wuauclt UpdateDeploymentProvider DLL loading, and odbcconf RSP file abuse. The suspicion score aggregates matching indicators to help analysts prioritize high-confidence events.

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate software installers using msiexec.exe or installutil.exe during application deployment
Administrative scripts and IT management tools invoking rundll32.exe or regsvr32.exe for component registration
Corporate HTA-based applications legitimately executed via mshta.exe by help desk or admin tooling
VPN and security software installers using cmstp.exe to configure connection profiles
Windows Update processes legitimately invoking wuauclt.exe during update delivery

Elastic Security (EQL)

eql

process where event.type == "start" and
  process.name in~ ("mshta.exe", "rundll32.exe", "regsvr32.exe", "msiexec.exe", "cmstp.exe", "installutil.exe", "regsvcs.exe", "regasm.exe", "odbcconf.exe", "verclsid.exe", "mavinject.exe", "hh.exe", "wuauclt.exe", "mmc.exe", "xwizard.exe", "syncappvpublishingserver.exe", "appsyncpublishingserver.exe") and
  (
    process.parent.name in~ ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "onenote.exe", "msaccess.exe", "mspub.exe", "visio.exe", "wscript.exe", "cscript.exe", "mshta.exe", "cmd.exe", "powershell.exe", "pwsh.exe", "explorer.exe") or
    process.command_line like~ "*http://*" or process.command_line like~ "*https://*" or process.command_line like~ "*ftp://*" or
    process.command_line like~ "*.sct*" or process.command_line like~ "*.hta*" or process.command_line like~ "*.vbs*" or process.command_line like~ "*.wsf*" or process.command_line like~ "scrobj*" or
    (process.name =~ "regsvr32.exe" and (process.command_line like~ "*/s*" or process.command_line like~ "*/i:*" or process.command_line like~ "*scrobj*")) or
    (process.name =~ "mshta.exe" and (process.command_line like~ "*.hta*" or process.command_line like~ "*javascript:*" or process.command_line like~ "*vbscript:*")) or
    (process.name =~ "rundll32.exe" and (process.command_line like~ "*javascript:*" or process.command_line like~ "*shell32.dll*" or process.command_line like~ "*advpack.dll*" or process.command_line like~ "*ieadvpack.dll*" or process.command_line like~ "*syssetup.dll*")) or
    (process.name =~ "cmstp.exe" and (process.command_line like~ "*/s*" or process.command_line like~ "*/ns*" or process.command_line like~ "*.inf*")) or
    (process.name =~ "installutil.exe" and (process.command_line like~ "*/logfile=*" or process.command_line like~ "*/LogToConsole=*" or process.command_line like~ "*/U*")) or
    (process.name =~ "wuauclt.exe" and process.command_line like~ "*UpdateDeploymentProvider*") or
    (process.name =~ "odbcconf.exe" and (process.command_line like~ "*/a*" or process.command_line like~ "*regsvr*" or process.command_line like~ "*.rsp*"))
  )

Detects abuse of trusted Windows LOLBins for proxy execution (T1218). Triggers on LOLBin execution with suspicious parent processes, remote URLs, script extensions, or technique-specific command-line patterns (Regsvr32 bypass, MSHTA HTA, RunDLL32 script, CMSTP INF, InstallUtil bypass, Wuauclt DLL sideload, ODBCConf RSP).

high severity high confidence

Data Sources

Elastic Endpoint Winlogbeat with Sysmon

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate IT administrative use of msiexec.exe or rundll32.exe for software deployment via SCCM/Intune from cmd.exe or powershell.exe parent
Developer tooling such as InstallUtil.exe used during .NET application installation or CI/CD pipelines
Security tools or EDR agents that invoke regsvr32.exe or regasm.exe to register COM components during install or update

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  "Process Name",
  "Command",
  "Parent Process Name",
  sourceip,
  hostname,
  CASE
    WHEN LOWER("Parent Process Name") MATCHES '.*\\\\(winword|excel|powerpnt|outlook|onenote|msaccess|mspub|visio|wscript|cscript)\.exe' THEN 1 ELSE 0
  END +
  CASE WHEN LOWER("Command") MATCHES '.*(http://|https://|ftp://).*' THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Command") MATCHES '.*(\.sct|\.hta|\.vbs|\.wsf|\.js|scrobj).*' THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Process Name") MATCHES '.*\\\\regsvr32\.exe' AND LOWER("Command") MATCHES '.*/s|/u|/i:|scrobj|sct.*' THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Process Name") MATCHES '.*\\\\mshta\.exe' AND LOWER("Command") MATCHES '.*(\.hta|javascript:|vbscript:).*' THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Process Name") MATCHES '.*\\\\rundll32\.exe' AND LOWER("Command") MATCHES '.*(javascript:|shell32|advpack|ieadvpack|syssetup).*' THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Process Name") MATCHES '.*\\\\cmstp\.exe' AND LOWER("Command") MATCHES '.*(/s|/ns|\.inf).*' THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Process Name") MATCHES '.*\\\\installutil\.exe' AND LOWER("Command") MATCHES '.*/logfile=|/logtoconsole=|/u.*' THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Process Name") MATCHES '.*\\\\wuauclt\.exe' AND LOWER("Command") MATCHES '.*updatedeploymentprovider.*' THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Process Name") MATCHES '.*\\\\odbcconf\.exe' AND LOWER("Command") MATCHES '.*/a|-a|regsvr|\.rsp.*' THEN 1 ELSE 0 END
  AS suspicion_score
FROM events
WHERE
  LOGSOURCETYPEID = 119
  AND qid = 5001000
  AND (
    LOWER("Process Name") MATCHES '.*\\\\(mshta|rundll32|regsvr32|msiexec|cmstp|installutil|regsvcs|regasm|odbcconf|verclsid|mavinject|hh|wuauclt|mmc|xwizard)\.exe'
  )
  AND (
    LOWER("Parent Process Name") MATCHES '.*\\\\(winword|excel|powerpnt|outlook|onenote|msaccess|wscript|cscript|cmd|powershell)\.exe'
    OR LOWER("Command") MATCHES '.*(http://|https://|ftp://|\.sct|\.hta|\.vbs|scrobj|updatedeploymentprovider|\.rsp).*'
  )
HAVING suspicion_score > 0
ORDER BY suspicion_score DESC, event_time DESC
LAST 24 HOURS

QRadar AQL detection for T1218 LOLBin proxy execution. Queries Sysmon process creation events (Event ID 1) from Windows endpoints, scoring each event across multiple suspicious indicators: office/script parent process, remote URL in args, script extension references, and binary-specific bypass patterns.

high severity medium confidence

Data Sources

Sysmon (via Windows Event Log) QRadar WinCollect agent

Required Tables

events

False Positives

SCCM or software management tools invoking msiexec.exe or rundll32.exe from cmd.exe for legitimate deployments
Helpdesk or IT scripts that use wscript.exe to launch msiexec for application installs
Security product installers that register DLLs via regsvr32.exe or regasm.exe during initial setup

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon
| where EventID = "1"
| parse regex field=Image "(?<process_name>[^\\\\]+)$"
| parse regex field=ParentImage "(?<parent_process_name>[^\\\\]+)$"
| where process_name in ("mshta.exe", "rundll32.exe", "regsvr32.exe", "msiexec.exe", "cmstp.exe", "installutil.exe", "regsvcs.exe", "regasm.exe", "odbcconf.exe", "verclsid.exe", "mavinject.exe", "hh.exe", "wuauclt.exe", "mmc.exe", "xwizard.exe")
| toLowerCase(CommandLine) as cmd_lower
| toLowerCase(ParentImage) as parent_lower
| if (parent_lower matches "*(winword|excel|powerpnt|outlook|onenote|msaccess|mspub|visio|wscript|cscript|cmd|powershell).exe*", 1, 0) as is_office_parent
| if (cmd_lower matches "*(http://|https://|ftp://)*", 1, 0) as has_remote_url
| if (cmd_lower matches "*(.sct|.hta|.vbs|.wsf|.js|scrobj)*", 1, 0) as has_com_script
| if (process_name = "regsvr32.exe" and (cmd_lower matches "*(/s|/u|/i:|scrobj|sct)*"), 1, 0) as regsvr32_bypass
| if (process_name = "mshta.exe" and (cmd_lower matches "*(.hta|javascript:|vbscript:)*"), 1, 0) as mshta_sus
| if (process_name = "rundll32.exe" and (cmd_lower matches "*(javascript:|shell32|advpack|ieadvpack|syssetup)*"), 1, 0) as rundll32_sus
| if (process_name = "cmstp.exe" and (cmd_lower matches "*(/s|/ns|.inf)*"), 1, 0) as cmstp_inf
| if (process_name = "installutil.exe" and (cmd_lower matches "*(/logfile=|/logtoconsole=|/u)*"), 1, 0) as installutil_bypass
| if (process_name = "wuauclt.exe" and cmd_lower matches "*updatedeploymentprovider*", 1, 0) as wuauclt_dll
| if (process_name = "odbcconf.exe" and (cmd_lower matches "*(/a|-a|regsvr|.rsp)*"), 1, 0) as odbcconf_rsp
| toInt(is_office_parent) + toInt(has_remote_url) + toInt(has_com_script) + toInt(regsvr32_bypass) + toInt(mshta_sus) + toInt(rundll32_sus) + toInt(cmstp_inf) + toInt(installutil_bypass) + toInt(wuauclt_dll) + toInt(odbcconf_rsp) as suspicion_score
| where suspicion_score > 0
| fields _messageTime, Computer, User, process_name, CommandLine, parent_process_name, ParentCommandLine, is_office_parent, has_remote_url, regsvr32_bypass, mshta_sus, rundll32_sus, cmstp_inf, installutil_bypass, wuauclt_dll, odbcconf_rsp, suspicion_score
| sort by suspicion_score, _messageTime

Sumo Logic detection for T1218 LOLBin proxy execution via Sysmon process creation logs. Parses process and parent image names, evaluates multiple suspicion indicators, and scores each event. High scores indicate multi-signal matches consistent with living-off-the-land proxy execution techniques.

high severity high confidence

Data Sources

Sysmon Operational Log via Sumo Logic Windows Agent

Required Tables

_sourceCategory=windows/sysmon

False Positives

Automated patch management invoking msiexec.exe from cmd.exe or powershell.exe parent processes during maintenance windows
Browser helper objects or COM component registration via regsvr32.exe triggered by legitimate software installers
Enterprise management software (e.g., Tanium, BigFix) that uses rundll32.exe or wscript.exe to execute admin scripts

Google Chronicle / SecOps

yaral

rule t1218_lolbin_proxy_execution {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1218 System Binary Proxy Execution via known LOLBins with suspicious parent processes, remote URLs, or technique-specific command-line arguments"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1218"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i)(mshta\.exe|rundll32\.exe|regsvr32\.exe|msiexec\.exe|cmstp\.exe|installutil\.exe|regsvcs\.exe|regasm\.exe|odbcconf\.exe|verclsid\.exe|mavinject\.exe|hh\.exe|wuauclt\.exe|mmc\.exe|xwizard\.exe)$/
    (
      $e.principal.process.parent_process.file.full_path = /(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|onenote\.exe|msaccess\.exe|mspub\.exe|visio\.exe|wscript\.exe|cscript\.exe|mshta\.exe|cmd\.exe|powershell\.exe|pwsh\.exe)$/ or
      $e.target.process.command_line = /(?i)(http:\/\/|https:\/\/|ftp:\/\/)/ or
      $e.target.process.command_line = /(?i)(\.sct|\.hta|\.vbs|\.wsf|\.js|scrobj)/ or
      ($e.principal.process.file.full_path = /(?i)regsvr32\.exe$/ and $e.target.process.command_line = /(?i)(/s|/u|/i:|scrobj|sct)/) or
      ($e.principal.process.file.full_path = /(?i)mshta\.exe$/ and $e.target.process.command_line = /(?i)(\.hta|javascript:|vbscript:)/) or
      ($e.principal.process.file.full_path = /(?i)rundll32\.exe$/ and $e.target.process.command_line = /(?i)(javascript:|shell32\.dll|advpack\.dll|ieadvpack\.dll|syssetup\.dll)/) or
      ($e.principal.process.file.full_path = /(?i)cmstp\.exe$/ and $e.target.process.command_line = /(?i)(/s|/ns|\.inf)/) or
      ($e.principal.process.file.full_path = /(?i)installutil\.exe$/ and $e.target.process.command_line = /(?i)(/logfile=|/LogToConsole=|/U)/) or
      ($e.principal.process.file.full_path = /(?i)wuauclt\.exe$/ and $e.target.process.command_line = /(?i)UpdateDeploymentProvider/) or
      ($e.principal.process.file.full_path = /(?i)odbcconf\.exe$/ and $e.target.process.command_line = /(?i)(/a|-a|regsvr|\.rsp)/)
    )

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting T1218 LOLBin proxy execution. Matches PROCESS_LAUNCH events where a known LOLBin is spawned by a suspicious parent (Office apps, scripting engines) or exhibits technique-specific command-line patterns including remote URL loading, script extension references, and binary-specific bypass arguments.

high severity high confidence

Data Sources

Chronicle UDM Google Chronicle SIEM with Windows endpoint telemetry

Required Tables

UDM events with event_type PROCESS_LAUNCH

False Positives

IT automation tooling that legitimately invokes msiexec.exe or rundll32.exe from scripted parent processes such as powershell.exe during patching cycles
Security software that registers COM objects via regsvr32.exe or regasm.exe as part of agent installation
Custom enterprise applications that use installutil.exe to deploy .NET services in managed environments

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName = /(?i)^(mshta|rundll32|regsvr32|msiexec|cmstp|installutil|regsvcs|regasm|odbcconf|verclsid|mavinject|hh|wuauclt|mmc|xwizard|syncappvpublishingserver|appsyncpublishingserver)\.exe$/
| ParentBaseFileName = /(?i)^(winword|excel|powerpnt|outlook|onenote|msaccess|mspub|visio|wscript|cscript|mshta|cmd|powershell|pwsh|explorer)\.exe$/
  OR CommandLine = /(?i)(http:\/\/|https:\/\/|ftp:\/\/)/
  OR CommandLine = /(?i)(\.sct|\.hta|\.vbs|\.wsf|\.js|scrobj)/
  OR (FileName = /(?i)^regsvr32\.exe$/ AND CommandLine = /(?i)(/s|/u|/i:|scrobj|sct)/)
  OR (FileName = /(?i)^mshta\.exe$/ AND CommandLine = /(?i)(\.hta|javascript:|vbscript:)/)
  OR (FileName = /(?i)^rundll32\.exe$/ AND CommandLine = /(?i)(javascript:|shell32\.dll|advpack\.dll|ieadvpack\.dll|syssetup\.dll)/)
  OR (FileName = /(?i)^cmstp\.exe$/ AND CommandLine = /(?i)(/s|/ns|\.inf)/)
  OR (FileName = /(?i)^installutil\.exe$/ AND CommandLine = /(?i)(/logfile=|/LogToConsole=|/U)/)
  OR (FileName = /(?i)^wuauclt\.exe$/ AND CommandLine = /(?i)UpdateDeploymentProvider/)
  OR (FileName = /(?i)^odbcconf\.exe$/ AND CommandLine = /(?i)(/a|-a|regsvr|\.rsp)/)
| eval IsOfficeParent = if(ParentBaseFileName = /(?i)^(winword|excel|powerpnt|outlook|onenote|msaccess|mspub|visio)\.exe$/, 1, 0)
| eval HasRemoteURL = if(CommandLine = /(?i)(http:\/\/|https:\/\/|ftp:\/\/)/, 1, 0)
| eval HasComScript = if(CommandLine = /(?i)(\.sct|\.hta|\.vbs|\.wsf|\.js|scrobj)/, 1, 0)
| eval RegSvr32Bypass = if(FileName = /(?i)^regsvr32\.exe$/ AND CommandLine = /(?i)(/s|/u|/i:|scrobj|sct)/, 1, 0)
| eval MshtaSus = if(FileName = /(?i)^mshta\.exe$/ AND CommandLine = /(?i)(\.hta|javascript:|vbscript:)/, 1, 0)
| eval RunDll32Sus = if(FileName = /(?i)^rundll32\.exe$/ AND CommandLine = /(?i)(javascript:|shell32\.dll|advpack\.dll|ieadvpack\.dll|syssetup\.dll)/, 1, 0)
| eval CMSTPInf = if(FileName = /(?i)^cmstp\.exe$/ AND CommandLine = /(?i)(/s|/ns|\.inf)/, 1, 0)
| eval InstallUtilBypass = if(FileName = /(?i)^installutil\.exe$/ AND CommandLine = /(?i)(/logfile=|/LogToConsole=|/U)/, 1, 0)
| eval WuaucltDll = if(FileName = /(?i)^wuauclt\.exe$/ AND CommandLine = /(?i)UpdateDeploymentProvider/, 1, 0)
| eval OdbcConfRSP = if(FileName = /(?i)^odbcconf\.exe$/ AND CommandLine = /(?i)(/a|-a|regsvr|\.rsp)/, 1, 0)
| eval SuspicionScore = IsOfficeParent + HasRemoteURL + HasComScript + RegSvr32Bypass + MshtaSus + RunDll32Sus + CMSTPInf + InstallUtilBypass + WuaucltDll + OdbcConfRSP
| where SuspicionScore > 0
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, IsOfficeParent, HasRemoteURL, RegSvr32Bypass, MshtaSus, RunDll32Sus, CMSTPInf, InstallUtilBypass, WuaucltDll, OdbcConfRSP, SuspicionScore])
| sort(SuspicionScore, order=desc)

CrowdStrike LogScale (Falcon) detection for T1218 LOLBin proxy execution using ProcessRollup2 events. Filters on known LOLBin filenames, then scores each event across multiple suspicion indicators including Office/script parent process ancestry, remote URL references, COM script extensions, and binary-specific technique patterns. Requires Falcon sensor process telemetry.

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint (ProcessRollup2 events)

Required Tables

#event_simpleName=ProcessRollup2

False Positives

Legitimate software deployment systems using msiexec.exe or rundll32.exe invoked by management scripts running under powershell.exe or cmd.exe
COM-based application frameworks that call regsvr32.exe or regasm.exe to register plugins during install or repair operations
Security awareness or red team simulation tools running LOLBin atomic tests in a controlled environment without exclusions applied

Sigma rule & cross-platform mapping

The detection logic for System Binary Proxy Execution (T1218) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1218 Sigma rules on detection.fyi

Platform-specific guides for T1218

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-13 Research depth: deep

References (11)

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Regsvr32 SCT Scriptlet Remote Execution
Expected signal: Sysmon Event ID 1: Process Create with Image=regsvr32.exe, CommandLine containing '/s /n /u /i:http://127.0.0.1:8080/payload.sct scrobj.dll'. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:8080 (connection will fail). Sysmon Event ID 7: Image Load for scrobj.dll from C:\Windows\System32.
Test 2MSHTA Inline VBScript Execution
Expected signal: Sysmon Event ID 1: Process Create for mshta.exe with CommandLine containing 'vbscript:Execute'. Sysmon Event ID 1 child: cmd.exe spawned by mshta.exe. Sysmon Event ID 11: File creation of mshta_test.txt in %TEMP%.
Test 3CMSTP INF File UAC Bypass and Execution
Expected signal: Sysmon Event ID 1: Process Create for cmstp.exe with CommandLine containing '/s' and path to .inf file. Sysmon Event ID 11: File creation for test.inf and cmstp_test.txt. Sysmon Event ID 1 child: cmd.exe spawned by cmstp.exe executing the RunPreSetupCommands action.
Test 4InstallUtil CLR Bypass via /logfile Flag
Expected signal: Sysmon Event ID 1: Process Create for installutil.exe with CommandLine containing '/logfile=' and '/LogToConsole=false'. Sysmon Event ID 7: Image loads for CLR DLLs (clr.dll, mscorwks.dll). The command will fail against calc.exe (not a valid .NET assembly) but the process creation telemetry fires.
Test 5Rundll32 JavaScript Execution
Expected signal: Sysmon Event ID 1: Process Create for rundll32.exe with CommandLine containing 'javascript:' and 'mshtml'. Sysmon Event ID 7: Image Load for mshtml.dll into rundll32.exe. Sysmon Event ID 1 child: cmd.exe spawned. Sysmon Event ID 11: File creation for rundll32_test.txt.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1218 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

System Binary Proxy Execution

What is T1218 System Binary Proxy Execution?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1218

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (14)

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

What is T1218 System Binary Proxy Execution?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1218

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (14)

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox