T1218

System Binary Proxy Execution

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system. Several Microsoft-signed binaries that are default on Windows installations can be used to proxy execution of other files or commands. Sub-techniques include abuse of mshta.exe, rundll32.exe, regsvr32.exe, msiexec.exe, cmstp.exe, installutil.exe, regsvcs.exe, regasm.exe, odbcconf.exe, verclsid.exe, mavinject.exe, control.exe (Control Panel), compiled HTML files (hh.exe), MMC snap-ins, Electron applications, and wuauclt.exe. On Linux, trusted binaries such as split may be abused similarly. Real-world usage includes Lazarus Group abusing wuauclt.exe to execute malicious DLLs and Volt Typhoon broadly leveraging LOLBins to maintain and expand network access.

Microsoft Sentinel / Defender

kusto

let LOLBins = dynamic([
  "mshta.exe", "rundll32.exe", "regsvr32.exe", "msiexec.exe",
  "cmstp.exe", "installutil.exe", "regsvcs.exe", "regasm.exe",
  "odbcconf.exe", "verclsid.exe", "mavinject.exe",
  "hh.exe", "wuauclt.exe", "mmc.exe", "xwizard.exe",
  "syncappvpublishingserver.exe", "appsyncpublishingserver.exe"
]);
let SuspiciousParents = dynamic([
  "winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe",
  "onenote.exe", "msaccess.exe", "mspub.exe", "visio.exe",
  "wscript.exe", "cscript.exe", "mshta.exe", "cmd.exe",
  "powershell.exe", "pwsh.exe", "explorer.exe"
]);
let SuspiciousNetworkLOLBins = dynamic([
  "mshta.exe", "regsvr32.exe", "rundll32.exe", "msiexec.exe", "cmstp.exe"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (LOLBins)
| extend IsOfficeParent = InitiatingProcessFileName in~ (SuspiciousParents)
| extend HasRemoteURL = ProcessCommandLine has_any ("http://", "https://", "ftp://", "\\\\")
| extend HasComScript = ProcessCommandLine has_any (".sct", ".hta", ".vbs", ".js", ".wsf", ".dll,", ".ocx")
| extend RegSvr32Bypass = (FileName =~ "regsvr32.exe" and ProcessCommandLine has_any ("/s", "/u", "/i:", "scrobj"))
| extend MshtaHta = (FileName =~ "mshta.exe" and ProcessCommandLine has_any (".hta", "javascript:", "vbscript:"))
| extend RunDll32Sus = (FileName =~ "rundll32.exe" and (ProcessCommandLine has_any ("javascript:", "shell32.dll", "advpack.dll", "ieadvpack.dll", "syssetup.dll") or ProcessCommandLine matches regex @"rundll32\.exe\s+[^,]+,(\w+)"))
| extend CMSTPInf = (FileName =~ "cmstp.exe" and ProcessCommandLine has_any ("/s", "/ns", ".inf"))
| extend InstallUtilBypass = (FileName =~ "installutil.exe" and ProcessCommandLine has_any ("/logfile=", "/LogToConsole=", "/U"))
| extend WuaucltDll = (FileName =~ "wuauclt.exe" and ProcessCommandLine has_any ("UpdateDeploymentProvider", "/UpdateDeploymentProvider"))
| extend OdbcConfRSP = (FileName =~ "odbcconf.exe" and ProcessCommandLine has_any ("/a", "-a", "regsvr", ".rsp"))
| extend SuspicionScore = toint(IsOfficeParent) + toint(HasRemoteURL) + toint(HasComScript)
    + toint(RegSvr32Bypass) + toint(MshtaHta) + toint(RunDll32Sus)
    + toint(CMSTPInf) + toint(InstallUtilBypass) + toint(WuaucltDll) + toint(OdbcConfRSP)
| where SuspicionScore > 0
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsOfficeParent, HasRemoteURL, HasComScript, RegSvr32Bypass,
         MshtaHta, RunDll32Sus, CMSTPInf, InstallUtilBypass, WuaucltDll, OdbcConfRSP,
         SuspicionScore
| sort by SuspicionScore desc, Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate software installers using msiexec.exe or installutil.exe during application deployment
Administrative scripts and IT management tools (SCCM, PDQ Deploy) invoking rundll32.exe or regsvr32.exe for component registration
Corporate HTA-based applications (legacy web apps, admin dashboards) legitimately executed via mshta.exe
VPN and security software installers using cmstp.exe to configure connection profiles during initial setup
Windows Update processes legitimately invoking wuauclt.exe as part of the update delivery mechanism

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\mshta.exe" OR Image="*\\rundll32.exe" OR Image="*\\regsvr32.exe"
   OR Image="*\\msiexec.exe" OR Image="*\\cmstp.exe" OR Image="*\\installutil.exe"
   OR Image="*\\regsvcs.exe" OR Image="*\\regasm.exe" OR Image="*\\odbcconf.exe"
   OR Image="*\\verclsid.exe" OR Image="*\\mavinject.exe" OR Image="*\\hh.exe"
   OR Image="*\\wuauclt.exe" OR Image="*\\mmc.exe" OR Image="*\\xwizard.exe")
| eval CommandLine=lower(CommandLine)
| eval ParentImage=lower(ParentImage)
| eval IsOfficeParent=if(match(ParentImage, "(winword|excel|powerpnt|outlook|onenote|msaccess|mspub|visio|wscript|cscript)\.exe"), 1, 0)
| eval HasRemoteURL=if(match(CommandLine, "(http://|https://|ftp://)"), 1, 0)
| eval HasComScript=if(match(CommandLine, "(\.sct|\.hta|\.vbs|\.wsf|\.js|scrobj|,\s*[a-z])"), 1, 0)
| eval RegSvr32Bypass=if(match(Image, "regsvr32\.exe") AND match(CommandLine, "(/s|/u|/i:|scrobj|sct)"), 1, 0)
| eval MshtaSus=if(match(Image, "mshta\.exe") AND match(CommandLine, "(\.hta|javascript:|vbscript:)"), 1, 0)
| eval RunDll32Sus=if(match(Image, "rundll32\.exe") AND match(CommandLine, "(javascript:|shell32|advpack|ieadvpack|syssetup)"), 1, 0)
| eval CMSTPInf=if(match(Image, "cmstp\.exe") AND match(CommandLine, "(/s|/ns|\.inf)"), 1, 0)
| eval InstallUtilBypass=if(match(Image, "installutil\.exe") AND match(CommandLine, "(/logfile=|/logtoconsole=|/u)"), 1, 0)
| eval WuaucltDll=if(match(Image, "wuauclt\.exe") AND match(CommandLine, "(updatedeploymentprovider)"), 1, 0)
| eval OdbcConfRSP=if(match(Image, "odbcconf\.exe") AND match(CommandLine, "(/a|-a|regsvr|\.rsp)"), 1, 0)
| eval SuspicionScore=IsOfficeParent + HasRemoteURL + HasComScript + RegSvr32Bypass + MshtaSus + RunDll32Sus + CMSTPInf + InstallUtilBypass + WuaucltDll + OdbcConfRSP
| where SuspicionScore > 0
| eval LOLBin=mvindex(split(Image, "\\"), -1)
| table _time, host, User, LOLBin, CommandLine, ParentImage, ParentCommandLine,
        IsOfficeParent, HasRemoteURL, RegSvr32Bypass, MshtaSus, RunDll32Sus,
        CMSTPInf, InstallUtilBypass, WuaucltDll, OdbcConfRSP, SuspicionScore
| sort - SuspicionScore, - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate software installers using msiexec.exe or installutil.exe during application deployment
Administrative scripts and IT management tools invoking rundll32.exe or regsvr32.exe for component registration
Corporate HTA-based applications legitimately executed via mshta.exe by help desk or admin tooling
VPN and security software installers using cmstp.exe to configure connection profiles
Windows Update processes legitimately invoking wuauclt.exe during update delivery

Elastic Security (EQL)

eql

process where event.type == "start" and
  process.name in~ ("mshta.exe", "rundll32.exe", "regsvr32.exe", "msiexec.exe", "cmstp.exe", "installutil.exe", "regsvcs.exe", "regasm.exe", "odbcconf.exe", "verclsid.exe", "mavinject.exe", "hh.exe", "wuauclt.exe", "mmc.exe", "xwizard.exe", "syncappvpublishingserver.exe", "appsyncpublishingserver.exe") and
  (
    process.parent.name in~ ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "onenote.exe", "msaccess.exe", "mspub.exe", "visio.exe", "wscript.exe", "cscript.exe", "mshta.exe", "cmd.exe", "powershell.exe", "pwsh.exe", "explorer.exe") or
    process.command_line like~ "*http://*" or process.command_line like~ "*https://*" or process.command_line like~ "*ftp://*" or
    process.command_line like~ "*.sct*" or process.command_line like~ "*.hta*" or process.command_line like~ "*.vbs*" or process.command_line like~ "*.wsf*" or process.command_line like~ "scrobj*" or
    (process.name =~ "regsvr32.exe" and (process.command_line like~ "*/s*" or process.command_line like~ "*/i:*" or process.command_line like~ "*scrobj*")) or
    (process.name =~ "mshta.exe" and (process.command_line like~ "*.hta*" or process.command_line like~ "*javascript:*" or process.command_line like~ "*vbscript:*")) or
    (process.name =~ "rundll32.exe" and (process.command_line like~ "*javascript:*" or process.command_line like~ "*shell32.dll*" or process.command_line like~ "*advpack.dll*" or process.command_line like~ "*ieadvpack.dll*" or process.command_line like~ "*syssetup.dll*")) or
    (process.name =~ "cmstp.exe" and (process.command_line like~ "*/s*" or process.command_line like~ "*/ns*" or process.command_line like~ "*.inf*")) or
    (process.name =~ "installutil.exe" and (process.command_line like~ "*/logfile=*" or process.command_line like~ "*/LogToConsole=*" or process.command_line like~ "*/U*")) or
    (process.name =~ "wuauclt.exe" and process.command_line like~ "*UpdateDeploymentProvider*") or
    (process.name =~ "odbcconf.exe" and (process.command_line like~ "*/a*" or process.command_line like~ "*regsvr*" or process.command_line like~ "*.rsp*"))
  )

high severity high confidence

Data Sources

Elastic Endpoint Winlogbeat with Sysmon

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate IT administrative use of msiexec.exe or rundll32.exe for software deployment via SCCM/Intune from cmd.exe or powershell.exe parent
Developer tooling such as InstallUtil.exe used during .NET application installation or CI/CD pipelines
Security tools or EDR agents that invoke regsvr32.exe or regasm.exe to register COM components during install or update

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  "Process Name",
  "Command",
  "Parent Process Name",
  sourceip,
  hostname,
  CASE
    WHEN LOWER("Parent Process Name") MATCHES '.*\\\\(winword|excel|powerpnt|outlook|onenote|msaccess|mspub|visio|wscript|cscript)\.exe' THEN 1 ELSE 0
  END +
  CASE WHEN LOWER("Command") MATCHES '.*(http://|https://|ftp://).*' THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Command") MATCHES '.*(\.sct|\.hta|\.vbs|\.wsf|\.js|scrobj).*' THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Process Name") MATCHES '.*\\\\regsvr32\.exe' AND LOWER("Command") MATCHES '.*/s|/u|/i:|scrobj|sct.*' THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Process Name") MATCHES '.*\\\\mshta\.exe' AND LOWER("Command") MATCHES '.*(\.hta|javascript:|vbscript:).*' THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Process Name") MATCHES '.*\\\\rundll32\.exe' AND LOWER("Command") MATCHES '.*(javascript:|shell32|advpack|ieadvpack|syssetup).*' THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Process Name") MATCHES '.*\\\\cmstp\.exe' AND LOWER("Command") MATCHES '.*(/s|/ns|\.inf).*' THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Process Name") MATCHES '.*\\\\installutil\.exe' AND LOWER("Command") MATCHES '.*/logfile=|/logtoconsole=|/u.*' THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Process Name") MATCHES '.*\\\\wuauclt\.exe' AND LOWER("Command") MATCHES '.*updatedeploymentprovider.*' THEN 1 ELSE 0 END +
  CASE WHEN LOWER("Process Name") MATCHES '.*\\\\odbcconf\.exe' AND LOWER("Command") MATCHES '.*/a|-a|regsvr|\.rsp.*' THEN 1 ELSE 0 END
  AS suspicion_score
FROM events
WHERE
  LOGSOURCETYPEID = 119
  AND qid = 5001000
  AND (
    LOWER("Process Name") MATCHES '.*\\\\(mshta|rundll32|regsvr32|msiexec|cmstp|installutil|regsvcs|regasm|odbcconf|verclsid|mavinject|hh|wuauclt|mmc|xwizard)\.exe'
  )
  AND (
    LOWER("Parent Process Name") MATCHES '.*\\\\(winword|excel|powerpnt|outlook|onenote|msaccess|wscript|cscript|cmd|powershell)\.exe'
    OR LOWER("Command") MATCHES '.*(http://|https://|ftp://|\.sct|\.hta|\.vbs|scrobj|updatedeploymentprovider|\.rsp).*'
  )
HAVING suspicion_score > 0
ORDER BY suspicion_score DESC, event_time DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Sysmon (via Windows Event Log) QRadar WinCollect agent

Required Tables

events

False Positives

SCCM or software management tools invoking msiexec.exe or rundll32.exe from cmd.exe for legitimate deployments
Helpdesk or IT scripts that use wscript.exe to launch msiexec for application installs
Security product installers that register DLLs via regsvr32.exe or regasm.exe during initial setup

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon
| where EventID = "1"
| parse regex field=Image "(?<process_name>[^\\\\]+)$"
| parse regex field=ParentImage "(?<parent_process_name>[^\\\\]+)$"
| where process_name in ("mshta.exe", "rundll32.exe", "regsvr32.exe", "msiexec.exe", "cmstp.exe", "installutil.exe", "regsvcs.exe", "regasm.exe", "odbcconf.exe", "verclsid.exe", "mavinject.exe", "hh.exe", "wuauclt.exe", "mmc.exe", "xwizard.exe")
| toLowerCase(CommandLine) as cmd_lower
| toLowerCase(ParentImage) as parent_lower
| if (parent_lower matches "*(winword|excel|powerpnt|outlook|onenote|msaccess|mspub|visio|wscript|cscript|cmd|powershell).exe*", 1, 0) as is_office_parent
| if (cmd_lower matches "*(http://|https://|ftp://)*", 1, 0) as has_remote_url
| if (cmd_lower matches "*(.sct|.hta|.vbs|.wsf|.js|scrobj)*", 1, 0) as has_com_script
| if (process_name = "regsvr32.exe" and (cmd_lower matches "*(/s|/u|/i:|scrobj|sct)*"), 1, 0) as regsvr32_bypass
| if (process_name = "mshta.exe" and (cmd_lower matches "*(.hta|javascript:|vbscript:)*"), 1, 0) as mshta_sus
| if (process_name = "rundll32.exe" and (cmd_lower matches "*(javascript:|shell32|advpack|ieadvpack|syssetup)*"), 1, 0) as rundll32_sus
| if (process_name = "cmstp.exe" and (cmd_lower matches "*(/s|/ns|.inf)*"), 1, 0) as cmstp_inf
| if (process_name = "installutil.exe" and (cmd_lower matches "*(/logfile=|/logtoconsole=|/u)*"), 1, 0) as installutil_bypass
| if (process_name = "wuauclt.exe" and cmd_lower matches "*updatedeploymentprovider*", 1, 0) as wuauclt_dll
| if (process_name = "odbcconf.exe" and (cmd_lower matches "*(/a|-a|regsvr|.rsp)*"), 1, 0) as odbcconf_rsp
| toInt(is_office_parent) + toInt(has_remote_url) + toInt(has_com_script) + toInt(regsvr32_bypass) + toInt(mshta_sus) + toInt(rundll32_sus) + toInt(cmstp_inf) + toInt(installutil_bypass) + toInt(wuauclt_dll) + toInt(odbcconf_rsp) as suspicion_score
| where suspicion_score > 0
| fields _messageTime, Computer, User, process_name, CommandLine, parent_process_name, ParentCommandLine, is_office_parent, has_remote_url, regsvr32_bypass, mshta_sus, rundll32_sus, cmstp_inf, installutil_bypass, wuauclt_dll, odbcconf_rsp, suspicion_score
| sort by suspicion_score, _messageTime

high severity high confidence

Data Sources

Sysmon Operational Log via Sumo Logic Windows Agent

Required Tables

_sourceCategory=windows/sysmon

False Positives

Automated patch management invoking msiexec.exe from cmd.exe or powershell.exe parent processes during maintenance windows
Browser helper objects or COM component registration via regsvr32.exe triggered by legitimate software installers
Enterprise management software (e.g., Tanium, BigFix) that uses rundll32.exe or wscript.exe to execute admin scripts

Google Chronicle / SecOps

yaral

rule t1218_lolbin_proxy_execution {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1218 System Binary Proxy Execution via known LOLBins with suspicious parent processes, remote URLs, or technique-specific command-line arguments"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1218"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i)(mshta\.exe|rundll32\.exe|regsvr32\.exe|msiexec\.exe|cmstp\.exe|installutil\.exe|regsvcs\.exe|regasm\.exe|odbcconf\.exe|verclsid\.exe|mavinject\.exe|hh\.exe|wuauclt\.exe|mmc\.exe|xwizard\.exe)$/
    (
      $e.principal.process.parent_process.file.full_path = /(?i)(winword\.exe|excel\.exe|powerpnt\.exe|outlook\.exe|onenote\.exe|msaccess\.exe|mspub\.exe|visio\.exe|wscript\.exe|cscript\.exe|mshta\.exe|cmd\.exe|powershell\.exe|pwsh\.exe)$/ or
      $e.target.process.command_line = /(?i)(http:\/\/|https:\/\/|ftp:\/\/)/ or
      $e.target.process.command_line = /(?i)(\.sct|\.hta|\.vbs|\.wsf|\.js|scrobj)/ or
      ($e.principal.process.file.full_path = /(?i)regsvr32\.exe$/ and $e.target.process.command_line = /(?i)(/s|/u|/i:|scrobj|sct)/) or
      ($e.principal.process.file.full_path = /(?i)mshta\.exe$/ and $e.target.process.command_line = /(?i)(\.hta|javascript:|vbscript:)/) or
      ($e.principal.process.file.full_path = /(?i)rundll32\.exe$/ and $e.target.process.command_line = /(?i)(javascript:|shell32\.dll|advpack\.dll|ieadvpack\.dll|syssetup\.dll)/) or
      ($e.principal.process.file.full_path = /(?i)cmstp\.exe$/ and $e.target.process.command_line = /(?i)(/s|/ns|\.inf)/) or
      ($e.principal.process.file.full_path = /(?i)installutil\.exe$/ and $e.target.process.command_line = /(?i)(/logfile=|/LogToConsole=|/U)/) or
      ($e.principal.process.file.full_path = /(?i)wuauclt\.exe$/ and $e.target.process.command_line = /(?i)UpdateDeploymentProvider/) or
      ($e.principal.process.file.full_path = /(?i)odbcconf\.exe$/ and $e.target.process.command_line = /(?i)(/a|-a|regsvr|\.rsp)/)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle UDM Google Chronicle SIEM with Windows endpoint telemetry

Required Tables

UDM events with event_type PROCESS_LAUNCH

False Positives

IT automation tooling that legitimately invokes msiexec.exe or rundll32.exe from scripted parent processes such as powershell.exe during patching cycles
Security software that registers COM objects via regsvr32.exe or regasm.exe as part of agent installation
Custom enterprise applications that use installutil.exe to deploy .NET services in managed environments

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName = /(?i)^(mshta|rundll32|regsvr32|msiexec|cmstp|installutil|regsvcs|regasm|odbcconf|verclsid|mavinject|hh|wuauclt|mmc|xwizard|syncappvpublishingserver|appsyncpublishingserver)\.exe$/
| ParentBaseFileName = /(?i)^(winword|excel|powerpnt|outlook|onenote|msaccess|mspub|visio|wscript|cscript|mshta|cmd|powershell|pwsh|explorer)\.exe$/
  OR CommandLine = /(?i)(http:\/\/|https:\/\/|ftp:\/\/)/
  OR CommandLine = /(?i)(\.sct|\.hta|\.vbs|\.wsf|\.js|scrobj)/
  OR (FileName = /(?i)^regsvr32\.exe$/ AND CommandLine = /(?i)(/s|/u|/i:|scrobj|sct)/)
  OR (FileName = /(?i)^mshta\.exe$/ AND CommandLine = /(?i)(\.hta|javascript:|vbscript:)/)
  OR (FileName = /(?i)^rundll32\.exe$/ AND CommandLine = /(?i)(javascript:|shell32\.dll|advpack\.dll|ieadvpack\.dll|syssetup\.dll)/)
  OR (FileName = /(?i)^cmstp\.exe$/ AND CommandLine = /(?i)(/s|/ns|\.inf)/)
  OR (FileName = /(?i)^installutil\.exe$/ AND CommandLine = /(?i)(/logfile=|/LogToConsole=|/U)/)
  OR (FileName = /(?i)^wuauclt\.exe$/ AND CommandLine = /(?i)UpdateDeploymentProvider/)
  OR (FileName = /(?i)^odbcconf\.exe$/ AND CommandLine = /(?i)(/a|-a|regsvr|\.rsp)/)
| eval IsOfficeParent = if(ParentBaseFileName = /(?i)^(winword|excel|powerpnt|outlook|onenote|msaccess|mspub|visio)\.exe$/, 1, 0)
| eval HasRemoteURL = if(CommandLine = /(?i)(http:\/\/|https:\/\/|ftp:\/\/)/, 1, 0)
| eval HasComScript = if(CommandLine = /(?i)(\.sct|\.hta|\.vbs|\.wsf|\.js|scrobj)/, 1, 0)
| eval RegSvr32Bypass = if(FileName = /(?i)^regsvr32\.exe$/ AND CommandLine = /(?i)(/s|/u|/i:|scrobj|sct)/, 1, 0)
| eval MshtaSus = if(FileName = /(?i)^mshta\.exe$/ AND CommandLine = /(?i)(\.hta|javascript:|vbscript:)/, 1, 0)
| eval RunDll32Sus = if(FileName = /(?i)^rundll32\.exe$/ AND CommandLine = /(?i)(javascript:|shell32\.dll|advpack\.dll|ieadvpack\.dll|syssetup\.dll)/, 1, 0)
| eval CMSTPInf = if(FileName = /(?i)^cmstp\.exe$/ AND CommandLine = /(?i)(/s|/ns|\.inf)/, 1, 0)
| eval InstallUtilBypass = if(FileName = /(?i)^installutil\.exe$/ AND CommandLine = /(?i)(/logfile=|/LogToConsole=|/U)/, 1, 0)
| eval WuaucltDll = if(FileName = /(?i)^wuauclt\.exe$/ AND CommandLine = /(?i)UpdateDeploymentProvider/, 1, 0)
| eval OdbcConfRSP = if(FileName = /(?i)^odbcconf\.exe$/ AND CommandLine = /(?i)(/a|-a|regsvr|\.rsp)/, 1, 0)
| eval SuspicionScore = IsOfficeParent + HasRemoteURL + HasComScript + RegSvr32Bypass + MshtaSus + RunDll32Sus + CMSTPInf + InstallUtilBypass + WuaucltDll + OdbcConfRSP
| where SuspicionScore > 0
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, IsOfficeParent, HasRemoteURL, RegSvr32Bypass, MshtaSus, RunDll32Sus, CMSTPInf, InstallUtilBypass, WuaucltDll, OdbcConfRSP, SuspicionScore])
| sort(SuspicionScore, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint (ProcessRollup2 events)

Required Tables

#event_simpleName=ProcessRollup2

False Positives

Legitimate software deployment systems using msiexec.exe or rundll32.exe invoked by management scripts running under powershell.exe or cmd.exe
COM-based application frameworks that call regsvr32.exe or regasm.exe to register plugins during install or repair operations
Security awareness or red team simulation tools running LOLBin atomic tests in a controlled environment without exclusions applied

Last updated: 2026-04-13 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1218 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

System Binary Proxy Execution

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (14)

Same Tactic: Defense Evasion

Popular Detections