T1218: T1218

Search IOCs, vulnerabilities, APT…

216.73.217.80

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 18/04/2018 19:59 · Modified 27/03/2026 01:09

Essential information

MITRE technique ID: T1218
Confidence: 100/100
Revoked: No
Published: 18/04/2018 19:59
Modified: 27/03/2026 01:09
Author / Source: The MITRE Corporation

Aliases

System Binary Proxy Execution

Platforms

windows macos linux

Description

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands. Similarly, on Linux systems adversaries may abuse trusted binaries such as `split` to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

split man page
GTFO split
LOLBAS Project
mitre-attack (T1218)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (54)

DeadLock uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Hydra Saiga uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN7 uses GOLD NIAGARAITG14

The MITRE Corporation Confidence 100

[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-C-36 related Blind Eagle

The MITRE Corporation Confidence 100

[APT-C-36](https://attack.mitre.org/groups/G0099) is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-C-60 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT32 related SeaLotusAPT-C-00

The MITRE Corporation Confidence 100

[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Amaranth-Dragon related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Andariel related Silent ChollimaPLUTONIUM

The MITRE Corporation Confidence 100

[Andariel](https://attack.mitre.org/groups/G0138) is a North Korean state-sponsored threat group that has been active since at least 2009. [Andariel](https://attack.mitre.org/groups/G0138) has primarily focused its operations--which have included destructive attacks--against South Korean…

First seen 01/01/1970 · Last seen 16/11/5138 ·
BlackByte related Hecamede

The MITRE Corporation Confidence 100

[BlackByte](https://attack.mitre.org/groups/G1043) is a ransomware threat actor operating since at least 2021. [BlackByte](https://attack.mitre.org/groups/G1043) is associated with several versions of ransomware also labeled [BlackByte Ransomware](https://attack.mitre.org/software/S1180). [BlackByte](https://attack.mitre.org/groups/G1043) ransomware operations initially used…

First seen 01/01/1970 · Last seen 16/11/5138 ·
BlackMagic related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Blackwood related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Bumblebee related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

13–24 of 54

RtlShare uses
Raspberry Robin uses

Family
Deer Stealer uses

Family
TA428 uses
PikoloRAT uses
zgRAT uses

Family
Bughatch uses
Stealerium uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lumar uses
CrySome RAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Grace uses
Meduza Stealer uses

Family

← Previous

Page / 7

13–24 of 82

AsyncRAT and Remcos delivered in an optimistic campaign related

AlienVault Confidence 100 11 MITREs 70 IOCs 13 Observables
3CXDesktopApp Intrusion Campaign Prevention related

AlienVault Confidence 100 20 MITREs 2 Malwares 29 IOCs 20 Observables 1 APT
OptinMonster supply chain attack hits 1.2 million sites related

AlienVault Confidence 100 20 MITREs 10 IOCs 10 Observables
The Demon Arrives Later: A Havoc Stager Hides … related

AlienVault Confidence 100 1 CVE 18 MITREs 3 Malwares 27 IOCs 27 Observables
Reloaded in a modern Remcos RAT Infection related

16 MITREs 2 Malwares 4 Observables
Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal … related

AlienVault Confidence 100 23 MITREs 1 Malware 8 IOCs 8 Observables
Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns related

AlienVault Confidence 100 20 MITREs 4 Malwares 13 IOCs 13 Observables 1 APT
APT Targets Azerbaijani Oil and Gas Industry related

5 CVEs 20 MITREs 3 Malwares 2 Observables 1 APT
Exposing Fox Tempest: A malware-signing service operation related

AlienVault Confidence 100 20 MITREs 9 Malwares 4 IOCs 4 Observables 1 APT
Unmasking a Multi-Stage Loader: AutoIt Abuse Leading to … related

20 MITREs 2 Malwares 5 Observables
Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam's … related

AlienVault Confidence 100 24 MITREs 2 Malwares 13 IOCs 13 Observables
Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline … related

AlienVault Confidence 100 20 MITREs 16 Malwares 42 IOCs 42 Observables 1 APT

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (66)

CVE-2023-36802 KEV targets

7.8 High

Microsoft Streaming Service Proxy contains an unspecified vulnerability that allows for privilege escalation.

Attack vector: Local
Published: 12/09/2023
Modified: 21/12/2025

CVE-2023-42793 KEV targets

9.8 Critical

JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server.

Attack vector: Network
Published: 04/10/2023
Modified: 29/05/2026

CVE-2019-3980 targets

9.8 Critical

The Solarwinds Dameware Mini Remote Client agent v12.1.0.89 supports smart card authentication which can allow a user to upload an executable to …

Attack vector: NETWORK
Published: 08/10/2019
Modified: 21/12/2025

CVE-2024-20399 KEV targets

6.0 Medium

Cisco NX-OS contains a command injection vulnerability in the command line interface (CLI) that could allow an authenticated, local attacker to execute …

Attack vector: Local
Published: 02/07/2024
Modified: 21/12/2025

CVE-2021-26857 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 21/12/2025

CVE-2025-26633 KEV targets

7.0 High

Microsoft Windows Management Console (MMC) contains an improper neutralization vulnerability that allows an unauthorized attacker to bypass a security feature locally.

Attack vector: Local
Published: 11/03/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2024-43451 KEV targets

6.5 Medium

Microsoft Windows contains an NTLMv2 hash spoofing vulnerability that could result in disclosing a user's NTLMv2 hash to an attacker via a …

Attack vector: Network
Published: 12/11/2024
Modified: 27/05/2026

Analyzed

CVE-2021-41773 KEV targets

9.8 Critical

Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured …

Attack vector: Network
Published: 03/11/2021
Modified: 18/02/2026

CVE-2022-41040 KEV targets

8.8 High

Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution.

Attack vector: Network
Published: 30/09/2022
Modified: 20/12/2025

CVE-2021-26858 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 21/12/2025

CVE-2023-38831 KEV targets

7.8 High

RARLAB WinRAR contains an unspecified vulnerability that allows an attacker to execute code when a user attempts to view a benign file …

Attack vector: Local
Published: 24/08/2023
Modified: 27/05/2026

CVE-2019-18935 KEV targets

Progress Telerik UI for ASP.NET AJAX contains a deserialization of untrusted data vulnerability through RadAsyncUpload which leads to code execution on the …

Published: 03/11/2021
Modified: 20/12/2025

← Previous

Page / 6

37–48 of 66

T1218.004 subtechnique-of

InstallUtil MITRE

Course Of Action (2)

Exploit Protection mitigates
Disable or Remove Feature or Program mitigates

Contact About Legal notice Privacy policy Terms of use

T1218: T1218

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (54)

Malware (82)

Reports (50)

Vulnerabilities (CVE) (66)

Attack patterns (MITRE) (1)

Course Of Action (2)