DET0793: Detection of System Binary Proxy Execution
DET0793 is an ICS ATT&CK detection strategy for identifying System Binary Proxy Execution, where malicious activity is routed through trusted or signed sys...
Analyst context for executives and security teams
DET0793 is an ICS ATT&CK detection strategy for identifying System Binary Proxy Execution, where malicious activity is routed through trusted or signed system binaries. The practical risk is that allow-listing, signature validation, and process-name-based monitoring can appear healthy while an adversary uses trusted binaries to execute unwanted content.
Executive priority
Treat this as a control-validation issue, not just an alert rule. Security leaders should ask whether SOC and IR teams can prove how trusted binary execution is monitored in environments that support industrial operations, and whether control assumptions such as “signed equals safe” are backed by behavioral evidence. This matters for resilience, audit defensibility, and incident triage because misuse of trusted binaries can reduce confidence in prevention controls and delay containment decisions.
Technical view
MITRE provides no official detection text, platforms, or tactics for DET0793, so implementation must be derived cautiously from the relationship to T0894. SOC teams should validate whether they can distinguish normal trusted binary use from suspicious proxy execution by reviewing process lineage, command-line context, binary signature metadata, file paths, and execution context. Detection engineering should avoid relying only on binary reputation or signature status and should test whether trusted binaries launching unusual child processes, loading unexpected content, or executing from unusual locations are visible in the available telemetry.
Likely telemetry
- Process creation and termination events
- Parent-child process relationships
- Command-line arguments where collected
- Executable path and file metadata
- Digital signature or certificate validation metadata
Detection direction
- Validate that trusted or signed binaries are not automatically excluded from monitoring logic.
- Tune detections around behavioral context: unusual parent processes, unexpected child processes, abnormal paths, and suspicious command-line usage.
- Establish local baselines for legitimate administrative and system-binary activity to reduce false positives.
- Review blind spots where command-line capture, process lineage, or signature metadata is incomplete.
- Use the relationship to T0894 as the analytic anchor, but do not assume specific platforms or tactics beyond what the supplied ATT&CK data states.
Mitigation priorities
- Prioritize visibility first: confirm process, command-line, file, and signature telemetry are collected where relevant to industrial operations.
- Review allow-listing and trust policies so signed binaries are not treated as inherently benign without behavioral controls.
- Document approved administrative use of trusted binaries to support detection tuning and incident review.
- Ensure IR playbooks include investigation steps for trusted-binary misuse, including lineage, executed content, and certificate/path review.
- Use findings as compliance evidence that monitoring covers abuse of trusted system components, not only known malicious executables.
Analyst notes and limits
This take is based on DET0793 and its stated relationship detecting T0894, System Binary Proxy Execution, in the ICS ATT&CK domain. The supplied object has no official description, detection text, tactics, platforms, aliases, or labels, so the guidance focuses on defensive validation themes supported by the related technique description.
Because MITRE did not provide detection logic or platform scope for this detection strategy, local environment evidence is required before creating precise analytics, severity, or coverage claims. The supplied relationship context references trusted and Microsoft-signed binaries and Windows systems, but DET0793 itself does not specify platforms.
Detection of System Binary Proxy Execution
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0894 | System Binary Proxy Execution | This object detects System Binary Proxy Execution. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e1cc4a405cea… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0793Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.