T1127: Trusted Developer Utilities Proxy Execution

Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

vulnerabilities: PT-CR-779: MSDT_CVE_2022_30190: The ms-msdt protocol was used to exploit vulnerability CVE-2022-30190 (Follina) in Microsoft Support Diagnostic Tool (MSDT) mitre_attck_execution: PT-CR-954: Tttracer_LOLBin: Bypassing protection with tttracer.exe mitre_attck_defense_evasion: PT-CR-603: IEExec_AWL_Bypass: An attempt to bypass application-start restrictions by using ieexec.exe (an undocumented Microsoft .NET Framework application that can be used as a host to run other managed applications that you start by using a URL) mitre_attck_defense_evasion: PT-CR-1088: Devinit_AWL_Bypass: An attempt to bypass application-start restrictions by using devinit.exe (a utility included in the Microsoft Visual Studio SDK) mitre_attck_defense_evasion: PT-CR-2569: LoLBas_VS_Nodejstools: A process was started using the Microsoft.NodejsTools.PressAnyKey.exe process from Microsoft Visual Studio Node.js Tools. This may indicate the use of the utility for the Living off the Land attack. mitre_attck_defense_evasion: PT-CR-1776: Browser_LOLBin: A process was started using trusted software mitre_attck_defense_evasion: PT-CR-194: Csc_AWL_Bypass: An attempt to bypass application-start restrictions by using csc.exe (a built-in Microsoft Windows utility used by .NET to compile C# code) mitre_attck_defense_evasion: PT-CR-652: WDAC_Bypass_Via_Dbgsrv: A user started an application debugger

Subtechniques

Detection

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor for abnormal presence of these or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious. Use process monitoring to monitor the execution and arguments of from developer utilities that may be abused. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. It is likely that these utilities will be used by software developers or for other software development related tasks, so if it exists and is used outside of that context, then the event may be suspicious.

Mitigation

IDM1042NameDisable or Remove Feature or ProgramDescription

Specific developer utilities may not be necessary within a given environment and should be removed if not used.

IDM1038NameExecution PreventionDescription

Certain developer utilities should be blocked or restricted if not required.