Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1127 | Trusted Developer Utilities Proxy Execution |
Comments
This diagnostic statement protects against Trusted Developer Utilities Proxy Execution through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
References
|
| PR.PS-06.05 | Testing and validation strategy | Mitigates | T1127 | Trusted Developer Utilities Proxy Execution |
Comments
This particular diagnostic statement highlights the use of software security testing, code integrity verifications, and vulnerability scanning to mitigate security weaknesses and vulnerabilities in developed code or applications that an adversary may be able to take advantage of.
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1127 | Trusted Developer Utilities Proxy Execution |
Comments
This diagnostic statement provides protection from Trusted Developer Utilities Proxy Execution through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1127 | Trusted Developer Utilities Proxy Execution | |
| RA-05 | Vulnerability Monitoring and Scanning | mitigates | T1127 | Trusted Developer Utilities Proxy Execution | |
| CM-08 | System Component Inventory | mitigates | T1127 | Trusted Developer Utilities Proxy Execution | |
| SI-10 | Information Input Validation | mitigates | T1127 | Trusted Developer Utilities Proxy Execution | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1127 | Trusted Developer Utilities Proxy Execution | |
| CM-02 | Baseline Configuration | mitigates | T1127 | Trusted Developer Utilities Proxy Execution | |
| CM-07 | Least Functionality | mitigates | T1127 | Trusted Developer Utilities Proxy Execution | |
| SI-04 | System Monitoring | mitigates | T1127 | Trusted Developer Utilities Proxy Execution |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1127 | Trusted Developer Utilities Proxy Execution | |
| action.hacking.variety.Unknown | Unknown | related-to | T1127 | Trusted Developer Utilities Proxy Execution |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1127 | Trusted Developer Utilities Proxy Execution |
Comments
Google Security Ops triggers an alert based on common command line arguments used by adversaries to proxy execution of code through trusted utilities.
This technique was scored as minimal based on low or uncertain detection coverage factor.
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_certutil_command.yaral
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/detection_of_winrs_usage.yaral
References
|