T1218: T1218

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 18/04/2018 19:59 · Modified 27/03/2026 01:09

Essential information

MITRE technique ID: T1218
Confidence: 100/100
Revoked: No
Published: 18/04/2018 19:59
Modified: 27/03/2026 01:09
Author / Source: The MITRE Corporation

Aliases

System Binary Proxy Execution

Platforms

windows macos linux

Description

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands. Similarly, on Linux systems adversaries may abuse trusted binaries such as `split` to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

split man page
GTFO split
LOLBAS Project
mitre-attack (T1218)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (54)

DeadLock uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Hydra Saiga uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN7 uses GOLD NIAGARAITG14

The MITRE Corporation Confidence 100

[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-C-36 related Blind Eagle

The MITRE Corporation Confidence 100

[APT-C-36](https://attack.mitre.org/groups/G0099) is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-C-60 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT32 related SeaLotusAPT-C-00

The MITRE Corporation Confidence 100

[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Amaranth-Dragon related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Andariel related Silent ChollimaPLUTONIUM

The MITRE Corporation Confidence 100

[Andariel](https://attack.mitre.org/groups/G0138) is a North Korean state-sponsored threat group that has been active since at least 2009. [Andariel](https://attack.mitre.org/groups/G0138) has primarily focused its operations--which have included destructive attacks--against South Korean…

First seen 01/01/1970 · Last seen 16/11/5138 ·
BlackByte related Hecamede

The MITRE Corporation Confidence 100

[BlackByte](https://attack.mitre.org/groups/G1043) is a ransomware threat actor operating since at least 2021. [BlackByte](https://attack.mitre.org/groups/G1043) is associated with several versions of ransomware also labeled [BlackByte Ransomware](https://attack.mitre.org/software/S1180). [BlackByte](https://attack.mitre.org/groups/G1043) ransomware operations initially used…

First seen 01/01/1970 · Last seen 16/11/5138 ·
BlackMagic related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Blackwood related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Bumblebee related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

13–24 of 54

BitRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
gh0st - S0032 uses
Mythic - S0699 uses

Family
DeadLock uses

Family
SHA-256 uses
Rhadamanthys uses

Family
Lynx uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
SILENTCONNECT uses

Family
Conti uses

Family
Crytox uses

Family
AXLocker uses
PureRAT uses

Family

← Previous

Page / 7

1–12 of 82

73 Open VSX Sleeper Extensions Linked to Malware … related

AlienVault Confidence 100 18 MITREs 3 IOCs 3 Observables 1 APT
Foxit Impersonation: Fake PDF Installer Deploys VNC related

AlienVault Confidence 100 19 MITREs 1 Malware 7 IOCs 7 Observables
Malicious Campaign Deploying AdaptixC2 Beacon and VS Code … related

17 MITREs 4 Malwares 14 Observables 1 APT
Operation PhantomCLR: Stealth Execution via AppDomain Hijacking and … related

19 MITREs 4 Observables
CrySome RAT : An Advanced Persistent .NET Remote … related

24 MITREs 1 Malware 2 Observables
ClickFix Campaigns Targeting Windows and macOS related

19 MITREs 18 Observables
From Invitation to Infection: How SILENTCONNECT Delivers ScreenConnect related

8 MITREs 2 Malwares 10 Observables
Hydra Saiga: Covert Espionage and Infiltration of Critical … related

21 MITREs 2 Malwares 41 Observables 1 APT
Operation CamelClone: Multi-Region Espionage Campaign Targets Government and … related

11 MITREs 1 Malware 29 Observables
SloppyLemming Deploys BurrowShell and Rust-Based RAT to Target … related

19 MITREs 2 Malwares 19 Observables 1 APT
Abusing Windows File Explorer and WebDAV for Malware … related

8 MITREs 3 Malwares 4 Observables
Amaranth-Dragon: Weaponizing CVE-2025-8088 for Targeted Espionage in Southeast … related

1 CVE 13 MITREs 3 Malwares 55 Observables 1 APT

← Previous

Page / 5

13–24 of 50

Vulnerabilities (CVE) (66)

CVE-2022-44698 KEV targets

5.4 Medium

Microsoft Defender SmartScreen contains a security feature bypass vulnerability that could allow an attacker to evade Mark of the Web (MOTW) defenses …

Attack vector: Network
Published: 13/12/2022
Modified: 20/12/2025

CVE-2025-25181 KEV targets

5.8 Medium

A SQL injection vulnerability in timeoutWarning.asp in Advantive VeraCore through 2025.1.0 allows remote attackers to execute arbitrary SQL commands via the PmSess1 …

Attack vector: Network
Published: 10/03/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2026-45585 targets

6.8 Medium

Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as "YellowKey". The proof of concept for this …

Attack vector: Physical
Complexity: Low
Published: 20/05/2026
Modified: 04/06/2026

CWE-77 Analyzed

CVE-2021-34473 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution.

Published: 03/11/2021
Modified: 29/05/2026

CVE-2022-30190 KEV targets

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An …

Published: 14/06/2022
Modified: 27/05/2026

CVE-2021-42278 KEV targets

Microsoft Active Directory Domain Services contains an unspecified vulnerability that allows for privilege escalation.

Published: 11/04/2022
Modified: 20/12/2025

CVE-2025-66478 targets

Rejected reason: This CVE is a duplicate of CVE-2025-55182.

Published: 20/12/2025
Modified: 21/12/2025

Rejected

CVE-2024-21887 KEV targets

9.1 Critical

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2023-46805 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2022-21893 targets

8.0 High

Remote Desktop Protocol Remote Code Execution Vulnerability

Attack vector: NETWORK
Published: 11/01/2022
Modified: 20/12/2025

CVE-2022-41091 KEV targets

5.4 Medium

Microsoft Windows Mark of the Web (MOTW) contains a security feature bypass vulnerability resulting in a limited loss of integrity and availability …

Attack vector: Network
Published: 08/11/2022
Modified: 20/12/2025

CVE-2025-2783 KEV targets

8.3 High

Google Chromium Mojo on Windows contains a sandbox escape vulnerability caused by a logic error, which results from an incorrect handle being …

Attack vector: Network
Published: 27/03/2025
Modified: 21/12/2025

Analyzed

← Previous

Page / 6

13–24 of 66

T1218.004 subtechnique-of

InstallUtil MITRE

Course Of Action (2)

Exploit Protection mitigates
Disable or Remove Feature or Program mitigates

Contact About Legal notice Privacy policy Terms of use

T1218: T1218

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (54)

Malware (82)

Reports (50)

Vulnerabilities (CVE) (66)

Attack patterns (MITRE) (1)

Course Of Action (2)