EXPLORE

← Back to Explore

T1127

Trusted Developer Utilities Proxy Execution

Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute...

Windows

38

Detections

3

Sources

0

Threat Actors

BY SOURCE

19sigma16elastic3splunk_escu

PROCEDURES (23)

Process Creation Monitoring7 detections

Auto-extracted: 7 detections for process creation monitoring

Network Connection Monitoring4 detections

Auto-extracted: 4 detections for network connection monitoring

Script Block2 detections

Auto-extracted: 2 detections for script block

Privilege2 detections

Auto-extracted: 2 detections for privilege

Script Execution Monitoring2 detections

Auto-extracted: 2 detections for script execution monitoring

Bypass2 detections

Auto-extracted: 2 detections for bypass

Unusual2 detections

Auto-extracted: 2 detections for unusual

Child Process2 detections

Auto-extracted: 2 detections for child process

Remote1 detections

Auto-extracted: 1 detections for remote

Unusual1 detections

Auto-extracted: 1 detections for unusual

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Persist1 detections

Auto-extracted: 1 detections for persist

Module Load Monitoring1 detections

Auto-extracted: 1 detections for module load monitoring

Inject1 detections

Auto-extracted: 1 detections for inject

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Privilege1 detections

Auto-extracted: 1 detections for privilege

Inject1 detections

Auto-extracted: 1 detections for inject

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Unusual1 detections

Auto-extracted: 1 detections for unusual

Powershell1 detections

Auto-extracted: 1 detections for powershell

Persist1 detections

Auto-extracted: 1 detections for persist

Persist1 detections

Auto-extracted: 1 detections for persist

Powershell1 detections

Auto-extracted: 1 detections for powershell

DETECTIONS (38)

Anomalous Linux Compiler Activity

AspNetCompiler Execution

C# IL Code Compilation Via Ilasm.EXE

Delayed Execution via Ping

Detection of PowerShell Execution via Sqlps.exe

ETW Registry Disabled

Execution of Persistent Suspicious Program

JScript Compiler Execution

Kavremover Dropped Binary LOLBIN Usage

Microsoft Build Engine Started an Unusual Process

Microsoft Build Engine Started by a Script Process

Microsoft Build Engine Started by a System Process

Microsoft Build Engine Started by an Office Application

Microsoft Build Engine Using an Alternate Name

MsBuild Making Network Connections

Network Activity to a Suspicious Top Level Domain

Node Process Executions

Potential Arbitrary Code Execution Via Node.EXE

Potential Binary Proxy Execution Via Cdb.EXE

Potential Credential Access via Trusted Developer Utility

Potential Mftrace.EXE Abuse

Potentially Suspicious ASP.NET Compilation Via AspNetCompiler

Process Injection by the Microsoft Build Engine

Remote Thread Creation Ttdinject.exe Proxy

SQL Client Tools PowerShell Session Detection

Suspicious .NET Code Compilation

Suspicious Child Process of AspNetCompiler

Suspicious Execution from a Mounted Device

Suspicious File Created by ArcSOC.exe

Suspicious microsoft workflow compiler rename

Suspicious microsoft workflow compiler usage

Suspicious Use of CSharp Interactive Console

Unusual Network Activity from a Windows System Binary

Unusual Process Network Connection

Use of Remote.exe

Use of TTDInject.exe

Use of VSIISExeLauncher.exe