Trusted Developer Utilities Proxy Execution T1127
Tactics: Stealth, Execution
Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.
Events covered
11 catalog events are tagged with this technique by at least one rule.
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
| Sysmon | Event ID 3 | Network connection |
| Sysmon | Event ID 7 | Image loaded |
| Sysmon | Event ID 8 | CreateRemoteThread |
| Sysmon | Event ID 11 | FileCreate |
| Sysmon | Event ID 13 | RegistryEvent (Value Set) |
| Sysmon | Event ID 22 | DNSEvent (DNS query) |
| Security-Auditing | Event ID 4688 | A new process has been created. |
| Defender-DeviceProcessEvents | any | Process activity (any) |
| PowerShell | Event ID 4103 | Payload Context: ContextInfo User Data: UserData. |
| PowerShell | Event ID 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
Authoring guide
Patterns shared across the 58 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (34 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (276 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (109 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 21 rules
- AspNetCompiler Execution
- C# IL Code Compilation Via Ilasm.EXE
- Detection of PowerShell Execution via Sqlps.exe
- JScript Compiler Execution
- Kavremover Dropped Binary LOLBIN Usage
- Microsoft Workflow Compiler Execution
- Node Process Executions
- Potential Arbitrary Code Execution Via Node.EXE
- Potential Binary Proxy Execution Via Cdb.EXE
- Potential Mftrace.EXE Abuse
- Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
- Remote Thread Creation Ttdinject.exe Proxy
- Silenttrinity Stager Msbuild Activity
- SQL Client Tools PowerShell Session Detection
- Suspicious Child Process of AspNetCompiler
- Suspicious File Created by ArcSOC.exe
- Suspicious Use of CSharp Interactive Console
- Use of Remote.exe
- Use of TTDInject.exe
- Use of VSIISExeLauncher.exe
- Use of Wfc.exe
Elastic 18 rules
- Anomalous Linux Compiler Activity
- Delayed Execution via Ping
- Execution of Persistent Suspicious Program
- Execution via Microsoft DotNet ClickOnce Host
- Execution via MS VisualStudio Pre/Post Build Events
- Microsoft Build Engine Started an Unusual Process
- Microsoft Build Engine Started by a Script Process
- Microsoft Build Engine Started by a System Process
- Microsoft Build Engine Started by an Office Application
- Microsoft Build Engine Using an Alternate Name
- MsBuild Making Network Connections
- Network Activity to a Suspicious Top Level Domain
- Potential Credential Access via Trusted Developer Utility
- Process Injection by the Microsoft Build Engine
- Suspicious .NET Code Compilation
- Suspicious Execution from a Mounted Device
- Unusual Network Activity from a Windows System Binary
- Unusual Process Network Connection
Splunk 16 rules
- CDB Execution (Sysmon)
- CDB Execution (Windows Event Log)
- ETW Registry Disabled
- Microsoft Build Engine Suspicious Parent Process (Sysmon)
- Microsoft Build Engine Suspicious Parent Process (Windows Event Log)
- MSBuild Suspicious Spawned By Script Process
- Proxy Execution via Appcert (PowerShell)
- Proxy Execution via Appcert (Sysmon)
- Proxy Execution via Appcert (Windows Event Log)
- Suspicious microsoft workflow compiler rename
- Suspicious microsoft workflow compiler usage
- Suspicious msbuild path
- Suspicious MSBuild Rename
- Suspicious MSBuild Spawn
- Unusual AppCert Child Process (Sysmon)
- Unusual AppCert Child Process (Windows Event Log)