Skip to content

T1127 Trusted Developer Utilities Proxy Execution

Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.1234 These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.

Item Value
ID T1127
Sub-techniques T1127.001
Tactics TA0005
Platforms Windows
Permissions required User
Version 1.2
Created 31 May 2017
Last Modified 15 October 2021

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program Specific developer utilities may not be necessary within a given environment and should be removed if not used.
M1038 Execution Prevention Certain developer utilities should be blocked or restricted if not required.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process Process Creation

References

Back to top