{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/signed-binary-proxy-execution/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["proxy-execution","net-utility","defense-evasion","execution","signed-binary-proxy-execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief addresses the abuse of trusted Microsoft .NET binaries as proxies for malicious code execution. Attackers leverage script-based execution (e.g., PowerShell, VBScript, batch files) from atypical or user-writable directories to launch .NET utilities like aspnet_compiler.exe, msbuild.exe, regasm.exe, InstallUtil.exe, and vbc.exe. This method allows threat actors to bypass security controls and blend in with legitimate system activity. Observed activity occurs in environments where endpoint detection and response (EDR) agents are deployed. The lack of command-line variation between the utility\u0026rsquo;s image path and its executed process reinforces the suspicion of proxy execution. This technique has been associated with malware campaigns, including the deployment of VIP Keylogger.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (potentially through phishing or exploiting a software vulnerability, although this source does not specify the entry vector).\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious script (e.g., a PowerShell script) into a user-writable directory such as C:\\Users\\Public\\ or C:\\Temp\\.\u003c/li\u003e\n\u003cli\u003eThe malicious script executes, and is often obfuscated to evade detection, from the non-standard location.\u003c/li\u003e\n\u003cli\u003eThe script then calls a legitimate .NET utility (e.g., InstallUtil.exe) to execute malicious code.\u003c/li\u003e\n\u003cli\u003eThe .NET utility executes with minimal command-line arguments, often just the executable path itself, to further blend in with legitimate activity.\u003c/li\u003e\n\u003cli\u003eThe .NET utility loads and executes attacker-controlled code, bypassing application control policies.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs actions such as keylogging (as seen with VIP Keylogger), credential theft, or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or establishing persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation enables attackers to bypass application control and execute arbitrary code, potentially leading to data theft, system compromise, and persistent access. While the number of victims and specific sectors are not detailed in this brief\u0026rsquo;s source, the use of VIP Keylogger as a payload demonstrates the potential for sensitive data exfiltration. Organizations lacking robust endpoint detection capabilities are at significant risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect .NET Utility Execution from Unusual Script Parents\u0026rdquo; to identify potential proxy execution attempts based on process relationships and file paths (rule provided below).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of .NET utilities (aspnet_compiler.exe, msbuild.exe, regasm.exe, InstallUtil.exe, vbc.exe) being launched from user-writable directories, especially when the parent process is a script interpreter (batch, CMD, PowerShell, JScript, VBScript, HTML).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events (Sysmon EventID 1 or Windows Event Log Security 4688) for unusual parent-child process relationships involving script interpreters and .NET utilities.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of .NET utilities from untrusted locations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-proxy-execution-net-utilities/","summary":"Detects the execution of .NET utilities by script processes from unusual locations, indicative of signed binary proxy execution for defense evasion and code execution.","title":"Windows Proxy Execution of .NET Utilities via Scripts","url":"https://feed.craftedsignal.io/briefs/2024-01-03-proxy-execution-net-utilities/"}],"language":"en","title":"CraftedSignal Threat Feed — Signed-Binary-Proxy-Execution","version":"https://jsonfeed.org/version/1.1"}