Description
Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.
Smart App Control is a feature of Windows that blocks applications it considers potentially malicious from running by verifying unsigned applications against a known safe list from a Microsoft cloud service before executing them.(Citation: Microsoft Smart App Control) However, adversaries may leverage "reputation hijacking" to abuse an operating system’s trust of safe, signed applications that support the execution of arbitrary code. By leveraging Trusted Developer Utilities Proxy Execution to run their malicious code, adversaries may bypass Smart App Control protections.(Citation: Elastic Security Labs)
Platforms
Sub-Techniques (3)
Mitigations (3)
Execution PreventionM1038
Certain developer utilities should be blocked or restricted if not required.
Restrict Web-Based ContentM1021
Consider disabling software installation or execution from the internet via developer utilities.
Disable or Remove Feature or ProgramM1042
Specific developer utilities may not be necessary within a given environment and should be removed if not used.
References
- Graeber, M. (2016, August 15). Bypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner. Retrieved November 17, 2024.
- Joe Desimone. (2024, August 5). Dismantling Smart App Control. Retrieved March 21, 2025.
- LOLBAS. (n.d.). Tracker.exe. Retrieved July 31, 2019.
- Microsoft. (n.d.). Smart App Control Frequently Asked Questions. Retrieved April 4, 2025.
- Nelson, M. (2016, November 21). Bypassing Application Whitelisting By Using rcsi.exe. Retrieved May 26, 2017.
- Nelson, M. (2017, November 17). Bypassing Application Whitelisting By Using dnx.exe. Retrieved May 25, 2017.
Frequently Asked Questions
What is T1127 (Trusted Developer Utilities Proxy Execution)?
T1127 is a MITRE ATT&CK technique named 'Trusted Developer Utilities Proxy Execution'. It belongs to the Stealth, Execution tactic(s). Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute...
How can T1127 be detected?
Detection of T1127 (Trusted Developer Utilities Proxy Execution) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1127?
There are 3 documented mitigations for T1127. Key mitigations include: Execution Prevention, Restrict Web-Based Content, Disable or Remove Feature or Program.
Which threat groups use T1127?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.