T1127 Trusted Developer Utilities Proxy Execution
Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.4312 These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.
| Item | Value |
|---|---|
| ID | T1127 |
| Sub-techniques | T1127.001 |
| Tactics | TA0005 |
| Platforms | Windows |
| Version | 1.2 |
| Created | 31 May 2017 |
| Last Modified | 05 May 2022 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1042 | Disable or Remove Feature or Program | Specific developer utilities may not be necessary within a given environment and should be removed if not used. |
| M1038 | Execution Prevention | Certain developer utilities should be blocked or restricted if not required. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0009 | Process | Process Creation |
References
-
Graeber, M. (2016, August 15). Bypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner. Retrieved May 26, 2017. ↩
-
Nelson, M. (2016, November 21). Bypassing Application Whitelisting By Using rcsi.exe. Retrieved May 26, 2017. ↩
-
Nelson, M. (2017, November 17). Bypassing Application Whitelisting By Using dnx.exe. Retrieved May 25, 2017. ↩