T1127: Trusted Developer Utilities Proxy Execution

View on MITRE ATT&CK T1127
Tactic(s) Defense Evasion
Associated CAPEC Patterns Software Development Tools Maliciously Altered (CAPEC-670)

Data from MITRE ATT&CK®:

Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Cyber Threat Graph Context

Explore how this ATT&CK Technique relates to the wider threat graph

Mitigations for this technique

MITRE ATT&CK Mitigations

How to detect this technique

MITRE ATT&CK Data Components

Control Validation Tests for this Technique

Use Atomic Red Team tests to test your defenses against this technique.

Sigma Detections for this Technique

SP800-53 Controls

See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.

Node
SI-10: Information Input Validation
CM-2: Baseline Configuration
SI-4: System Monitoring
CM-8: System Component Inventory
SI-7: Software, Firmware, and Information Integrity
RA-5: Vulnerability Monitoring and Scanning
CM-6: Configuration Settings
CM-7: Least Functionality