Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
CM-2 | Baseline Configuration | Protects | T1127 | Trusted Developer Utilities Proxy Execution |
CM-6 | Configuration Settings | Protects | T1127 | Trusted Developer Utilities Proxy Execution |
CM-7 | Least Functionality | Protects | T1127 | Trusted Developer Utilities Proxy Execution |
CM-8 | System Component Inventory | Protects | T1127 | Trusted Developer Utilities Proxy Execution |
RA-5 | Vulnerability Monitoring and Scanning | Protects | T1127 | Trusted Developer Utilities Proxy Execution |
SI-10 | Information Input Validation | Protects | T1127 | Trusted Developer Utilities Proxy Execution |
SI-4 | System Monitoring | Protects | T1127 | Trusted Developer Utilities Proxy Execution |
SI-7 | Software, Firmware, and Information Integrity | Protects | T1127 | Trusted Developer Utilities Proxy Execution |
azure_sentinel | Azure Sentinel | technique_scores | T1127 | Trusted Developer Utilities Proxy Execution |