Trusted Developer Utilities Proxy Execution

Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.[1][2][3][4] These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.

ID: T1127
Sub-techniques:  T1127.001, T1127.002
Tactic: Defense Evasion
Platforms: Windows
Defense Bypassed: Application Control
Contributors: Casey Smith; Matthew Demaske, Adaptforward
Version: 1.2
Created: 31 May 2017
Last Modified: 05 May 2022

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Specific developer utilities may not be necessary within a given environment and should be removed if not used.

M1038 Execution Prevention

Certain developer utilities should be blocked or restricted if not required.

M1021 Restrict Web-Based Content

Consider disabling software installation or execution from the internet via developer utilities.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.

DS0011 Module Module Load

Monitor trusted developer utility activity with unsigned module loads.

DS0009 Process Process Creation

Monitor for abnormal presence of these or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious. Use process monitoring to monitor the execution and arguments of from developer utilities that may be abused. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. It is likely that these utilities will be used by software developers or for other software development related tasks, so if it exists and is used outside of that context, then the event may be suspicious.

Process Metadata

Evaluate Event Tracing for Windows (ETW) telemetry associated with the execution of developer utilities.

References