Esc

Trusted Developer Utilities Proxy Execution - T1127

(ATT&CK® Technique)

Subtechniques

Definition

Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1127["Trusted Developer Utilities Proxy Execution"] --> |modifies| CompilerConfigurationFile["Compiler Configuration File"]; class T1127 OffensiveTechniqueNode;
        class CompilerConfigurationFile ArtifactNode; click CompilerConfigurationFile href "/dao/artifact/d3f:CompilerConfigurationFile";
        click T1127 href "/offensive-technique/attack/T1127/"; click CompilerConfigurationFile href "/dao/artifact/d3f:CompilerConfigurationFile"; T1127["Trusted Developer Utilities Proxy Execution"] --> |runs| Compiler["Compiler"]; class T1127 OffensiveTechniqueNode;
        class Compiler ArtifactNode; click Compiler href "/dao/artifact/d3f:Compiler";
        click T1127 href "/offensive-technique/attack/T1127/"; click Compiler href "/dao/artifact/d3f:Compiler";                          FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | CompilerConfigurationFile["Compiler Configuration File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1127["Trusted Developer Utilities Proxy Execution"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class CompilerConfigurationFile ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
          | deletes | CompilerConfigurationFile["Compiler Configuration File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1127["Trusted Developer Utilities Proxy Execution"] ;
          class FileEviction DefensiveTechniqueNode;
          class CompilerConfigurationFile ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction";                           FileEncryption["File Encryption"] -->
          | encrypts | CompilerConfigurationFile["Compiler Configuration File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1127["Trusted Developer Utilities Proxy Execution"] ;
          class FileEncryption DefensiveTechniqueNode;
          class CompilerConfigurationFile ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption"; SoftwareUpdate["Software Update"] -->
          | updates | Compiler["Compiler"];

          SoftwareUpdate["Software Update"] -.->
            | may-harden | T1127["Trusted Developer Utilities Proxy Execution"] ;
          class SoftwareUpdate DefensiveTechniqueNode;
          class Compiler ArtifactNode;
          click SoftwareUpdate href "/technique/d3f:SoftwareUpdate"; DecoyFile["Decoy File"] -->
          | spoofs | CompilerConfigurationFile["Compiler Configuration File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1127["Trusted Developer Utilities Proxy Execution"] ;
          class DecoyFile DefensiveTechniqueNode;
          class CompilerConfigurationFile ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile";                                          RestoreSoftware["Restore Software"] -->
          | restores | Compiler["Compiler"];

          RestoreSoftware["Restore Software"] -.->
            | may-restore | T1127["Trusted Developer Utilities Proxy Execution"] ;
          class RestoreSoftware DefensiveTechniqueNode;
          class Compiler ArtifactNode;
          click RestoreSoftware href "/technique/d3f:RestoreSoftware";                                        LocalFilePermissions["Local File Permissions"] -->
          | restricts | CompilerConfigurationFile["Compiler Configuration File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1127["Trusted Developer Utilities Proxy Execution"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class CompilerConfigurationFile ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";              RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | CompilerConfigurationFile["Compiler Configuration File"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1127["Trusted Developer Utilities Proxy Execution"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class CompilerConfigurationFile ArtifactNode;
          click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";        RestoreFile["Restore File"] -->
          | restores | CompilerConfigurationFile["Compiler Configuration File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1127["Trusted Developer Utilities Proxy Execution"] ;
          class RestoreFile DefensiveTechniqueNode;
          class CompilerConfigurationFile ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile"; FileAnalysis["File Analysis"] -->
          | analyzes | CompilerConfigurationFile["Compiler Configuration File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1127["Trusted Developer Utilities Proxy Execution"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class CompilerConfigurationFile ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis";

json