Skip to content

T1127 Trusted Developer Utilities Proxy Execution

Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.6513 These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.

Smart App Control is a feature of Windows that blocks applications it considers potentially malicious from running by verifying unsigned applications against a known safe list from a Microsoft cloud service before executing them.4 However, adversaries may leverage “reputation hijacking” to abuse an operating system’s trust of safe, signed applications that support the execution of arbitrary code. By leveraging Trusted Developer Utilities Proxy Execution to run their malicious code, adversaries may bypass Smart App Control protections.2

Item Value
ID T1127
Sub-techniques T1127.001, T1127.002, T1127.003
Tactics TA0005
Platforms Windows
Version 1.3
Created 31 May 2017
Last Modified 24 October 2025

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program Specific developer utilities may not be necessary within a given environment and should be removed if not used.
M1038 Execution Prevention Certain developer utilities should be blocked or restricted if not required.
M1021 Restrict Web-Based Content Consider disabling software installation or execution from the internet via developer utilities.

References

  1. Graeber, M. (2016, August 15). Bypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner. Retrieved November 17, 2024. 

  2. Joe Desimone. (2024, August 5). Dismantling Smart App Control. Retrieved March 21, 2025. 

  3. LOLBAS. (n.d.). Tracker.exe. Retrieved July 31, 2019. 

  4. Microsoft. (n.d.). Smart App Control Frequently Asked Questions. Retrieved April 4, 2025. 

  5. Nelson, M. (2016, November 21). Bypassing Application Whitelisting By Using rcsi.exe. Retrieved May 26, 2017. 

  6. Nelson, M. (2017, November 17). Bypassing Application Whitelisting By Using dnx.exe. Retrieved May 25, 2017.