A Red Team View on MITRE T1218 Tactics
Intro
In today’s evolving threat landscape, attackers are no longer relying solely on custom malware. Instead, they’re using what’s already trusted — legitimate, signed binaries — to quietly run malicious code under the radar.
This technique is known as BYOSB (Bring Your Own Signed Binary) and falls under the MITRE ATT&CK technique T1218: Signed Binary Proxy Execution. It’s becoming an increasingly common method to bypass modern EDR and AV solutions.
What is BYOSB?
At its core, BYOSB leverages signed executables (like java.exe, python.exe, node.exe, etc.) to run payloads without raising suspicion. These are binaries that are:
Signed by a known and trusted vendor
Often whitelisted by endpoint protection tools
Readily available in many enterprise environments
Unlike traditional LOLBins (Living Off the Land Binaries), these executables are not native to the OS and often come bundled with development or data science toolkits.
Why It Matters Now
In 2025, the trend is clear:
✔️ Endpoint agents are improving — but not fast enough
✔️ Attackers are shifting to low-noise, fileless, signed methods
✔️ Dev and data science environments are becoming prime targets
“You don’t need to break the door down if it’s already wide open.” — Red Team Lead
MITRE T1218: Quick Primer
T1218 is about executing malicious code via signed binaries. These binaries may not be malicious themselves — but when abused, they act as perfect launchpads for payloads.
Why attackers love them:
They don’t need to compile custom malware
They inherit trust from the vendor signature
Their behavior often blends into the noise of daily developer or IT ops activity
The BYOSB Advantage
Compared to PowerShell or cmd.exe (which are heavily monitored), BYOSB tools offer:
Cross-platform compatibility
Minimal footprint (especially when using standalone binaries like
node.exe)Easier EDR evasion due to fewer behavioral signatures
Want to see real-world red team examples and binary comparisons?
Our team analyzed how attackers use BYOSB techniques with binaries like python.exe, node.exe, and java.exe — including how we bypassed EDR using only official packages.
Download the full technical article below.
(Includes binary SHA256 hashes, VT scores, runtime behavior comparisons, and detection strategies.)
