Monday 06 July 2026 12:35:17 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

WIKICROOK

Windows execution proxy

A legitimate system binary abused to launch or hide malicious activity.

A Windows execution proxy is a legitimate system binary that attackers abuse to start other code or make malicious activity look normal. Instead of dropping an obvious new executable, the attacker invokes trusted tools such as scripting hosts, service utilities, or command-line components to launch payloads, load code in memory, or pass commands to another process.

This matters because security controls often trust signed Microsoft binaries more than unknown files. When malware uses a Windows execution proxy, it can evade simple hash-based blocking, blend into routine admin activity, and create a cleaner path for persistence or lateral movement. Defenders look for suspicious parent-child process chains, unusual command-line arguments, encoded scripts, and unexpected network access from trusted binaries. Monitoring these behaviors helps expose abuse even when the process name itself appears legitimate.

← WIKICROOK index