Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Defense Evasion/ T1218

T1218System Binary Proxy Execution

T1218 — System Binary Proxy Execution is a MITRE ATT&CK technique in the Defense Evasion tactic. Clankerusecase tracks 25 detection use cases covering it and 94 threat-intel articles citing it.

Defense Evasion
View on the matrix → Filter Detection Library MITRE official spec ↗
25Use cases
94Articles
14Sub-techniques
1Tactic

Sub-techniques (14)

T1218.003 · CMSTPT1218.001 · Compiled HTML FileT1218.002 · Control PanelT1218.015 · Electron ApplicationsT1218.004 · InstallUtilT1218.013 · MavinjectT1218.014 · MMCT1218.005 · MshtaT1218.007 · MsiexecT1218.008 · OdbcconfT1218.009 · Regsvcs/RegasmT1218.010 · Regsvr32T1218.011 · Rundll32T1218.012 · Verclsid

Use cases covering this technique (25)

Office app spawning script/LOLBin child process Internal exploit · alerting DSΣP [WEEKLY] Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain Internal exploit · alerting DSΣPDD Cisco NVM - Suspicious Network Connection From Process With No Args ESCU actions · hunting P LOLBAS With Network Traffic ESCU actions · alerting P Windows Advanced Installer MSIX with AI_STUBS Execution ESCU actions · alerting P Windows AppLocker Block Events ESCU actions · hunting P Windows AppLocker Execution from Uncommon Locations ESCU actions · hunting P Windows AppLocker Privilege Escalation via Unauthorized Bypass ESCU actions · alerting P Windows AppLocker Rare Application Launch Detection ESCU actions · hunting P Windows BitLockerToGo Process Execution ESCU actions · hunting P Windows BitLockerToGo with Network Activity ESCU actions · hunting P Windows Diskshadow Proxy Execution ESCU actions · alerting P Windows Execute Arbitrary Commands with MSDT ESCU actions · alerting P Windows MSC EvilTwin Directory Path Manipulation ESCU actions · alerting P Windows Proxy Execution of .NET Utilities via Scripts ESCU actions · hunting P Windows Rasautou DLL Execution ESCU actions · alerting P Windows System Script Proxy Execution Syncappvpublishingserver ESCU actions · alerting P [LLM] Bun runtime executed from temp directory by Python interpreter (Hades vF203 loader) Bespoke install · alerting DSΣPDDCS [LLM] Bun runtime download from github.com/oven-sh during npm install (Gen-2 loader) Bespoke delivery · hunting DSΣPDDCS [LLM] cscript/wscript executing a script from .laravel_locale temp directory Bespoke install · alerting DSΣPDDCS [LLM] PowerShell copy masqueraded as Windows Terminal in %PROGRAMDATA% running 6202033.ps1 Bespoke install · alerting DSΣPDD [LLM] DRILLAPP variant 2: Edge launched with --remote-debugging-port=9222 for CDP-based file download Bespoke c2 · alerting DSΣPDDCS [LLM] Renamed MSBuild.exe executing inline .csproj from user-writable path Bespoke install · alerting DSΣPDDCS [LLM] APT28 MacroMaze: Edge launched off-screen or headless to webhook.site by non-browser parent Bespoke c2 · alerting DSΣP [LLM] NosyDoor AppDomainManager hijack: UevAppMonitor.exe executing from non-standard path Bespoke install · alerting DSΣP

Articles citing this technique (94)

high FBI disrupts massive AI-powered phishing service using a million URLs art-01
med New Agentjacking Attack Hijacks Your AI Coding Agent to Run Code From a Hacker’s Server art-06
crit Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered art-15
high Google Sues Chinese Smishing Network Accused of Using Gemini AI in Phishing art-18
med Hackers Abuse Legitimate NinjaOne RMM Software to Bypass Traditional Malware Detection art-23
high Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code art-28
crit Rethinking MDR as Attackers and Defenders Embrace AI art-30
high INTERPOL Operation Takes Down Sniper Dz Phishing Platform, Arrests Administrator art-33
high New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets art-41
high npm v12 delivers one of the biggest security improvements in years art-46
crit Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories art-48
high Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility art-74
high Pythagora-io/gpt-pilot Compromised on GitHub - Shai-Hulud Credential Stealer Blocked by Python Linter art-78
crit Microsoft Restores Some GitHub Repos, Keeps Others Offline as Miasma Probe Continues art-82
crit WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine art-86
crit Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models art-87
crit New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing art-89
high Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer art-90
crit LiteLLM Flaw CVE-2026-42271 Exploited in the Wild, Chains to Unauthenticated RCE art-92
high When “Hi, This Is IT” Comes Through Microsoft Teams art-98
crit One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public art-100
crit Meta Blocks NSO Group's New WhatsApp Phishing Attack, Files Contempt Order art-101
crit AI brands as bait: How threat actors are using the AI hype in social engineering art-102
crit AI Phishing Is Crushing SOCs with Alert Volume: How to Reduce Tier 1 Overload art-103
crit VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances art-107
crit UNC3753 Used Vishing and Physical Intrusions in U.S. Data Theft Extortion Campaign art-108
high Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI art-114
high Reporting from Vegas: Networking, AI, and good boys art-126
med Type Level Security: The future of secure AI code generation? art-132
crit Malicious npm packages abuse dependency confusion to profile developer environments art-161
crit [GHSA / CRITICAL] CVE-2026-47392: PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subpro art-166
high Typosquatted npm packages used to steal cloud and CI/CD secrets art-183
high What MDM can't protect on developer machines (and what to do about it) art-186
crit 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface art-187
crit ESET APT Activity Report Q4 2025–Q1 2026 art-189
med Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years art-190
crit Out of the Crypt: The Evolving Cyber Extortion Economy art-193
crit BTMOB: A stealthy RAT burrowing deep into Android devices art-209
crit Laravel Lang Supply Chain Advisory art-211
crit Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns art-217
crit Paved With Intent: ROADtools and Nation-State Tactics in the Cloud art-218
crit Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload art-219
med Foul play: Fake FIFA websites target soccer fans looking for World Cup tickets, merchandise art-220
crit The Wild West of VS Code extensions and how a poisoned extension breached GitHub art-236
crit [GHSA / CRITICAL] CVE-2026-45311: DeepSeek TUI: run_tests Tool Enables RCE via Malicious Repository Without Approval art-293
crit Kimsuky targets organizations with PebbleDash-based tools art-308
crit FrostyNeighbor: Fresh mischief and digital shenanigans art-309
crit Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools art-316
crit PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale art-322
crit A rigged game: ScarCruft compromises gaming platform in a supply-chain attack art-332
high Someone published four versions of a fake "tanstack" package in 27 minutes to steal your .env files art-346
high It's time to treat browser extensions like supply chain attack vectors art-354
crit New NGate variant hides in a trojanized NFC payment app art-369
high As breakout time accelerates, prevention-first cybersecurity takes center stage art-408
high Axios npm Package Compromised: Supply Chain Attack Delivers Cross-Platform RAT art-420
high axios compromised on npm: maintainer account hijacked, RAT deployed art-421
high A cunning predator: How Silver Fox preys on Japanese firms this tax season art-426
crit EDR killers explained: Beyond the drivers art-455
crit GlassWorm Hides a RAT Inside a Malicious Chrome Extension art-458
high DRILLAPP: new backdoor targeting Ukrainian entities with possible links to Laundry Bear art-470
crit Cyber fallout from the Iran war: What to have on your radar art-474
crit Sednit reloaded: Back in the trenches art-477
crit Protecting education: How MDR can tip the balance in favor of schools art-491
crit PlugX Meeting Invitation via MSBuild and GDATA art-503
high 20+ Popular NPM Packages Compromised (Chalk, Debug, Strip-ANSI, Color-Convert, Wrap-ANSI...) art-537
crit Operation MacroMaze: new APT28 campaign using basic tooling and legit infrastructure art-542
crit Naming and shaming: How ransomware groups tighten the screws on victims art-544
crit Another npm Supply Chain Attack: The 'is' Package Compromise art-554
high npx Confusion: Packages That Forgot to Claim Their Own Name art-578
high Fake Clawdbot VS Code Extension Installs ScreenConnect RAT art-594
high Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages art-605
crit LongNosedGoblin tries to sniff out governmental affairs in Southeast Asia and Japan art-642
crit ESET Threat Report H2 2025 art-647
crit Supply Chain Security Alert: eslint-config-prettier Package Shows Signs of Compromise art-654
med Why Threat Modeling Is Now Even More Critical for AI-Native Applications art-694
crit ESET APT Activity Report Q2 2025–Q3 2025 art-715
high How MDR can give MSPs the edge in a competitive market art-730
crit SnakeStealer: How it preys on personal data – and how you can protect yourself art-736
crit Phishing Campaign Leveraging the NPM Ecosystem art-754
crit CISA KEV: CVE-2011-3402 — Microsoft Windows Remote Code Execution Vulnerability art-762
high Zero-day Extensive NPM Package Compromise - Shai Hulud Supply Chain Attack art-789
high npm Supply Chain Attack via Open Source maintainer compromise art-794
high Weaponizing AI Coding Agents for Malware in the Nx Malicious Package Security Incident art-806
high Snyk Joins CISA's Secure by Design Pledge art-828
crit Maintainers of ESLint Prettier Plugin Attacked via npm Supply Chain Malware art-837
crit CISA KEV: CVE-2024-4879 — ServiceNow Improper Input Validation Vulnerability art-1200
high A stepping stone towards holistic application risk and compliance management of the Digital Operational Resiliency Act (DORA) art-1211
crit Polyfill supply chain attack embeds malware in JavaScript CDN assets art-1218
high Snyk AppRisk Pro: A holistic approach to application risk management art-1252
crit Snyk Learn and the NIST Cybersecurity Framework (CSF) art-1274
high Defense in Depth art-1278
crit New Year's security resolutions for 2024 from Snyk DevRel, SecRel, and friends art-1294
high Cybersecurity Venture’s 2023 Software Supply Chain Attack Report art-1362
high XS leaks: What they are and how to avoid them art-1419