T1127 Trusted Developer Utilities Proxy Execution Mappings

Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
CM-2 Baseline Configuration Protects T1127 Trusted Developer Utilities Proxy Execution
CM-6 Configuration Settings Protects T1127 Trusted Developer Utilities Proxy Execution
CM-7 Least Functionality Protects T1127 Trusted Developer Utilities Proxy Execution
CM-8 System Component Inventory Protects T1127 Trusted Developer Utilities Proxy Execution
RA-5 Vulnerability Monitoring and Scanning Protects T1127 Trusted Developer Utilities Proxy Execution
SI-10 Information Input Validation Protects T1127 Trusted Developer Utilities Proxy Execution
SI-4 System Monitoring Protects T1127 Trusted Developer Utilities Proxy Execution
SI-7 Software, Firmware, and Information Integrity Protects T1127 Trusted Developer Utilities Proxy Execution
azure_sentinel Azure Sentinel technique_scores T1127 Trusted Developer Utilities Proxy Execution

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1127.001 MSBuild 6