Signed binaries are binary files that are signed with trusted digital certificates and hence can be executed on Windows systems protected by application controls and digital signature validation. Unfortunately, threat actors abuse these binaries to bypass security controls quite often. These binaries are commonly referred also as Living-off-the-Land binaries(LOLBins).
Signed Binary Proxy execution refers to the method of running an executable or executing a command by using another executable that is signed with trusted digital certificates. Attackers utilize this trust to bypass security mechanisms.
Subtechnique #1: T1218.001 Compiled HTML File
A Compiled HTML (.chm extension) is essentially a collection of several HTML pages. Additionally, it may include a comprssed compilation of JScript, Java, ActiveX and HTML image formats .gif, , .png and .jpeg files. Threat actors have been using customized .chm files that are embedded with malicious payloads to evade application controls.]
Older versions of Microsoft Windows display CHM content using underlying Internet Explorer components that are loaded through the HTML Help executable program (hh.exe). The HTML Help executable program (hh.exe) starts running whenever an user clicks a CHM file or a menu item that opens the help file in the Help Viewer . The help file is shown and the user is made available to navigation and other functions when the HTML Help ActiveX control is called by the hh.exe program. That being said, hh.exe runs Internet Explorer in the medium integrity mode while a regular iexplore process is running in the low integrity mode, which makes it easier to exploit the browser included within hh.exe . This security flaw is listed as CVE-2017–8625 and affects Windows 10 versions prior to v1703. For instance, calc.exe can be launched with the following code in a customized CHM file [7].
The Connection Manager service profiles are installed using the built-in Windows command-line tool CMSTP (the Microsoft Connection Manager Profile Installer). By giving installation information files (.inf) infected with malicious commands to CMSTP.exe, adversaries use it for proxy execution of these commands.
"Testing does not prove the absence of bugs, merely the presence of them." -Edgar Djikstra
Subtechnique 2: T1218.002 Control Panel
Windows command-line tool Mshta.exe is used to run HTML Application (HTA) files. Without enforcing the strict security policy or user interface of the browser, HTAs contain all of Windows Internet Explorer’s features, including its object model and technology. As a consequence, attackers abuse mshta.exe to execute .hta files, VBScript,JavaScript and Jscript.
The Windows environment can be customized by users via Control Panel objects, which are executable (.exe) or dynamic link library (DLL) files [8]. Control Panel items are executed by the control.exe process binary, which is part of the Windows Control Panel. To execute malicious payloads over a proxy, attackers use control.exe .
This technique is employed by adversaries to get around application controls because the registry binary (reg.exe) in the Windows folder is permitted to be executed by AppLocker and Control Panel is permitted in the majority of environments.
Be safe, kind regards · Fabio Liberti