T1218: T1218

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 18/04/2018 19:59 · Modified 27/03/2026 01:09

Essential information

MITRE technique ID: T1218
Confidence: 100/100
Revoked: No
Published: 18/04/2018 19:59
Modified: 27/03/2026 01:09
Author / Source: The MITRE Corporation

Aliases

System Binary Proxy Execution

Platforms

windows macos linux

Description

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands. Similarly, on Linux systems adversaries may abuse trusted binaries such as `split` to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

split man page
GTFO split
LOLBAS Project
mitre-attack (T1218)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (54)

NET_PA1N Reborn uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
GlassWorm uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
El Machete, SideWinder, Lyceum uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Black Basta uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus Group, Kimsuky uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Transparent Tribe uses COPPER FIELDSTONEMythic Leopard

The MITRE Corporation Confidence 100

[Transparent Tribe](https://attack.mitre.org/groups/G0134) is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.(Citation: Proofpoint…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Cuba uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Silence group uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Water Minyades uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Silver Fox uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
PureCoder uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
September uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 54

BitRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
gh0st - S0032 uses
Mythic - S0699 uses

Family
DeadLock uses

Family
SHA-256 uses
Rhadamanthys uses

Family
Lynx uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
SILENTCONNECT uses

Family
Conti uses

Family
Crytox uses

Family
AXLocker uses
PureRAT uses

Family

← Previous

Page / 7

1–12 of 82

73 Open VSX Sleeper Extensions Linked to Malware … related

AlienVault Confidence 100 18 MITREs 3 IOCs 3 Observables 1 APT
Foxit Impersonation: Fake PDF Installer Deploys VNC related

AlienVault Confidence 100 19 MITREs 1 Malware 7 IOCs 7 Observables
Malicious Campaign Deploying AdaptixC2 Beacon and VS Code … related

17 MITREs 4 Malwares 14 Observables 1 APT
Operation PhantomCLR: Stealth Execution via AppDomain Hijacking and … related

19 MITREs 4 Observables
CrySome RAT : An Advanced Persistent .NET Remote … related

24 MITREs 1 Malware 2 Observables
ClickFix Campaigns Targeting Windows and macOS related

19 MITREs 18 Observables
From Invitation to Infection: How SILENTCONNECT Delivers ScreenConnect related

8 MITREs 2 Malwares 10 Observables
Hydra Saiga: Covert Espionage and Infiltration of Critical … related

21 MITREs 2 Malwares 41 Observables 1 APT
Operation CamelClone: Multi-Region Espionage Campaign Targets Government and … related

11 MITREs 1 Malware 29 Observables
SloppyLemming Deploys BurrowShell and Rust-Based RAT to Target … related

19 MITREs 2 Malwares 19 Observables 1 APT
Abusing Windows File Explorer and WebDAV for Malware … related

8 MITREs 3 Malwares 4 Observables
Amaranth-Dragon: Weaponizing CVE-2025-8088 for Targeted Espionage in Southeast … related

1 CVE 13 MITREs 3 Malwares 55 Observables 1 APT

← Previous

Page / 5

13–24 of 50

Vulnerabilities (CVE) (66)

CVE-2022-41049 KEV targets

5.4 Medium

Microsoft Windows Mark of the Web (MOTW) contains a security feature bypass vulnerability resulting in a limited loss of integrity and availability …

Attack vector: Network
Published: 14/11/2022
Modified: 27/05/2026

CVE-2025-3935 KEV targets

8.1 High

ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve …

Attack vector: Network
Published: 02/06/2025
Modified: 21/12/2025

Received

CVE-2021-40444 KEV targets

Microsoft MSHTML contains a unspecified vulnerability that allows for remote code execution.

Published: 03/11/2021
Modified: 27/05/2026

CVE-2022-31199 KEV targets

9.8 Critical

Netwrix Auditor User Activity Video Recording component contains an insecure objection deserialization vulnerability that allows an unauthenticated, remote attacker to execute code …

Attack vector: Network
Published: 11/07/2023
Modified: 20/12/2025

CVE-2023-36025 KEV targets

8.8 High

Microsoft Windows SmartScreen contains a security feature bypass vulnerability that could allow an attacker to bypass Windows Defender SmartScreen checks and their …

Attack vector: Network
Published: 14/11/2023
Modified: 21/12/2025

CVE-2021-44228 KEV targets

10.0 Critical

Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.

Attack vector: Network
Published: 10/12/2021
Modified: 27/05/2026

CVE-2023-22515 KEV targets

9.8 Critical

Atlassian Confluence Data Center and Server contains a broken access control vulnerability that allows an attacker to create unauthorized Confluence administrator accounts …

Attack vector: Network
Published: 05/10/2023
Modified: 21/12/2025

CVE-2021-31969 targets

CVE-2021-31207 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for security feature bypass.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2021-21284 targets

6.8 Medium

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege …

Attack vector: ADJACENT_NETWORK
Published: 02/02/2021
Modified: 20/12/2025

CVE-2023-48788 KEV targets

9.8 Critical

Fortinet FortiClient EMS contains a SQL injection vulnerability that allows an unauthenticated attacker to execute commands as SYSTEM via specifically crafted requests.

Attack vector: Network
Published: 25/03/2024
Modified: 21/12/2025

CVE-2021-34523 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.

Published: 03/11/2021
Modified: 20/12/2025

← Previous

Page / 6

1–12 of 66

T1218.004 subtechnique-of

InstallUtil MITRE

Course Of Action (2)

Exploit Protection mitigates
Disable or Remove Feature or Program mitigates

Contact About Legal notice Privacy policy Terms of use

T1218: T1218

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (54)

Malware (82)

Reports (50)

Vulnerabilities (CVE) (66)

Attack patterns (MITRE) (1)

Course Of Action (2)