T1218 Splunk · SPL

Detect System Binary Proxy Execution in Splunk

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system. Several Microsoft-signed binaries that are default on Windows installations can be used to proxy execution of other files or commands. Sub-techniques include abuse of mshta.exe, rundll32.exe, regsvr32.exe, msiexec.exe, cmstp.exe, installutil.exe, regsvcs.exe, regasm.exe, odbcconf.exe, verclsid.exe, mavinject.exe, control.exe (Control Panel), compiled HTML files (hh.exe), MMC snap-ins, Electron applications, and wuauclt.exe. On Linux, trusted binaries such as split may be abused similarly. Real-world usage includes Lazarus Group abusing wuauclt.exe to execute malicious DLLs and Volt Typhoon broadly leveraging LOLBins to maintain and expand network access.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Canonical reference
https://attack.mitre.org/techniques/T1218/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\mshta.exe" OR Image="*\\rundll32.exe" OR Image="*\\regsvr32.exe"
   OR Image="*\\msiexec.exe" OR Image="*\\cmstp.exe" OR Image="*\\installutil.exe"
   OR Image="*\\regsvcs.exe" OR Image="*\\regasm.exe" OR Image="*\\odbcconf.exe"
   OR Image="*\\verclsid.exe" OR Image="*\\mavinject.exe" OR Image="*\\hh.exe"
   OR Image="*\\wuauclt.exe" OR Image="*\\mmc.exe" OR Image="*\\xwizard.exe")
| eval CommandLine=lower(CommandLine)
| eval ParentImage=lower(ParentImage)
| eval IsOfficeParent=if(match(ParentImage, "(winword|excel|powerpnt|outlook|onenote|msaccess|mspub|visio|wscript|cscript)\.exe"), 1, 0)
| eval HasRemoteURL=if(match(CommandLine, "(http://|https://|ftp://)"), 1, 0)
| eval HasComScript=if(match(CommandLine, "(\.sct|\.hta|\.vbs|\.wsf|\.js|scrobj|,\s*[a-z])"), 1, 0)
| eval RegSvr32Bypass=if(match(Image, "regsvr32\.exe") AND match(CommandLine, "(/s|/u|/i:|scrobj|sct)"), 1, 0)
| eval MshtaSus=if(match(Image, "mshta\.exe") AND match(CommandLine, "(\.hta|javascript:|vbscript:)"), 1, 0)
| eval RunDll32Sus=if(match(Image, "rundll32\.exe") AND match(CommandLine, "(javascript:|shell32|advpack|ieadvpack|syssetup)"), 1, 0)
| eval CMSTPInf=if(match(Image, "cmstp\.exe") AND match(CommandLine, "(/s|/ns|\.inf)"), 1, 0)
| eval InstallUtilBypass=if(match(Image, "installutil\.exe") AND match(CommandLine, "(/logfile=|/logtoconsole=|/u)"), 1, 0)
| eval WuaucltDll=if(match(Image, "wuauclt\.exe") AND match(CommandLine, "(updatedeploymentprovider)"), 1, 0)
| eval OdbcConfRSP=if(match(Image, "odbcconf\.exe") AND match(CommandLine, "(/a|-a|regsvr|\.rsp)"), 1, 0)
| eval SuspicionScore=IsOfficeParent + HasRemoteURL + HasComScript + RegSvr32Bypass + MshtaSus + RunDll32Sus + CMSTPInf + InstallUtilBypass + WuaucltDll + OdbcConfRSP
| where SuspicionScore > 0
| eval LOLBin=mvindex(split(Image, "\\"), -1)
| table _time, host, User, LOLBin, CommandLine, ParentImage, ParentCommandLine,
        IsOfficeParent, HasRemoteURL, RegSvr32Bypass, MshtaSus, RunDll32Sus,
        CMSTPInf, InstallUtilBypass, WuaucltDll, OdbcConfRSP, SuspicionScore
| sort - SuspicionScore, - _time
high severity high confidence

Detects LOLBin proxy execution across the T1218 technique family using Sysmon Event ID 1 (Process Creation). Monitors for known trusted Windows binaries invoked with suspicious arguments: Regsvr32 scrobj/SCT loading, MSHTA with HTA or inline JavaScript/VBScript, RunDll32 with JavaScript or known bypass DLLs, CMSTP with INF sideloading, InstallUtil CLR bypass flags, wuauclt UpdateDeploymentProvider DLL loading, and odbcconf RSP file abuse. The suspicion score aggregates matching indicators to help analysts prioritize high-confidence events.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legitimate software installers using msiexec.exe or installutil.exe during application deployment
  • Administrative scripts and IT management tools invoking rundll32.exe or regsvr32.exe for component registration
  • Corporate HTA-based applications legitimately executed via mshta.exe by help desk or admin tooling
  • VPN and security software installers using cmstp.exe to configure connection profiles
  • Windows Update processes legitimately invoking wuauclt.exe during update delivery
Download portable Sigma rule (.yml)

Other platforms for T1218

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Regsvr32 SCT Scriptlet Remote Execution

    Expected signal: Sysmon Event ID 1: Process Create with Image=regsvr32.exe, CommandLine containing '/s /n /u /i:http://127.0.0.1:8080/payload.sct scrobj.dll'. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:8080 (connection will fail). Sysmon Event ID 7: Image Load for scrobj.dll from C:\Windows\System32.

  2. Test 2MSHTA Inline VBScript Execution

    Expected signal: Sysmon Event ID 1: Process Create for mshta.exe with CommandLine containing 'vbscript:Execute'. Sysmon Event ID 1 child: cmd.exe spawned by mshta.exe. Sysmon Event ID 11: File creation of mshta_test.txt in %TEMP%.

  3. Test 3CMSTP INF File UAC Bypass and Execution

    Expected signal: Sysmon Event ID 1: Process Create for cmstp.exe with CommandLine containing '/s' and path to .inf file. Sysmon Event ID 11: File creation for test.inf and cmstp_test.txt. Sysmon Event ID 1 child: cmd.exe spawned by cmstp.exe executing the RunPreSetupCommands action.

  4. Test 4InstallUtil CLR Bypass via /logfile Flag

    Expected signal: Sysmon Event ID 1: Process Create for installutil.exe with CommandLine containing '/logfile=' and '/LogToConsole=false'. Sysmon Event ID 7: Image loads for CLR DLLs (clr.dll, mscorwks.dll). The command will fail against calc.exe (not a valid .NET assembly) but the process creation telemetry fires.

  5. Test 5Rundll32 JavaScript Execution

    Expected signal: Sysmon Event ID 1: Process Create for rundll32.exe with CommandLine containing 'javascript:' and 'mshtml'. Sysmon Event ID 7: Image Load for mshtml.dll into rundll32.exe. Sysmon Event ID 1 child: cmd.exe spawned. Sysmon Event ID 11: File creation for rundll32_test.txt.

Last updated: 2026-04-13 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1218 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (14)

Related Techniques

T1218.001Compiled HTML FileT1218.002Control PanelT1218.003CMSTPT1218.004InstallUtilT1218.005MshtaT1218.007MsiexecT1218.008OdbcconfT1218.009Regsvcs/RegasmT1218.010Regsvr32T1218.011Rundll32T1218.012VerclsidT1218.013MavinjectT1218.014MMCT1218.015Electron ApplicationsT1059.001PowerShellT1059.003Windows Command ShellT1105Ingress Tool TransferT1566.001Spearphishing AttachmentT1053.005Scheduled TaskT1027Obfuscated Files or Information

Same Tactic: Defense Evasion

Popular Detections