T1127 - Trusted Developer Utilities Proxy Execution#
Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.
Atomic Tests#
Atomic Test #1 - Lolbin Jsc.exe compile javascript to exe#
Use jsc.exe to compile javascript code stored in scriptfile.js and output scriptfile.exe. https://lolbas-project.github.io/lolbas/Binaries/Jsc/ https://www.phpied.com/make-your-javascript-a-windows-exe/
Supported Platforms: windows
Dependencies: Run with powershell!#
Description: JavaScript code file must exist on disk at specified location (#{filename})#
Check Prereq Commands:#
if (Test-Path "PathToAtomicsFolder\T1127\src\hello.js") {exit 0} else {exit 1}
Get Prereq Commands:#
New-Item -Type Directory (split-path "PathToAtomicsFolder\T1127\src\hello.js") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/hello.js" -OutFile "PathToAtomicsFolder\T1127\src\hello.js"
Invoke-AtomicTest T1127 -TestNumbers 1 -GetPreReqs
Attack Commands: Run with command_prompt#
copy "PathToAtomicsFolder\T1127\src\hello.js" %TEMP%\hello.js
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe %TEMP%\hello.js
Invoke-AtomicTest T1127 -TestNumbers 1
Cleanup:#
del %TEMP%\hello.js
del %TEMP%\hello.exe
Invoke-AtomicTest T1127 -TestNumbers 1 -Cleanup
Atomic Test #2 - Lolbin Jsc.exe compile javascript to dll#
Use jsc.exe to compile javascript code stored in Library.js and output Library.dll. https://lolbas-project.github.io/lolbas/Binaries/Jsc/ https://www.phpied.com/make-your-javascript-a-windows-exe/
Supported Platforms: windows
Dependencies: Run with powershell!#
Description: JavaScript code file must exist on disk at specified location (#{filename})#
Check Prereq Commands:#
if (Test-Path "PathToAtomicsFolder\T1127\src\LibHello.js") {exit 0} else {exit 1}
Get Prereq Commands:#
New-Item -Type Directory (split-path "PathToAtomicsFolder\T1127\src\LibHello.js") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/LibHello.js" -OutFile "PathToAtomicsFolder\T1127\src\LibHello.js"
Invoke-AtomicTest T1127 -TestNumbers 2 -GetPreReqs
Attack Commands: Run with command_prompt#
copy "PathToAtomicsFolder\T1127\src\LibHello.js" %TEMP%\LibHello.js
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe /t:library %TEMP%\LibHello.js
Invoke-AtomicTest T1127 -TestNumbers 2
Cleanup:#
del %TEMP%\LibHello.js
del %TEMP%\LibHello.dll
Invoke-AtomicTest T1127 -TestNumbers 2 -Cleanup
Detection#
Monitor for abnormal presence of these or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.
Use process monitoring to monitor the execution and arguments of from developer utilities that may be abused. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. It is likely that these utilities will be used by software developers or for other software development related tasks, so if it exists and is used outside of that context, then the event may be suspicious. Command arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.
Shield Active Defense#
System Activity Monitoring#
Collect system activity logs which can reveal adversary activity.
Capturing system logs can show logins, user and system events, etc. Collecting this data and potentially sending it to a centralized location can help reveal the presence of an adversary and the actions they perform on a compromised system.
Opportunity#
There is an opportunity to create a detection with a moderately high probability of success.
Use Case#
A defender can detect the presence of an adversary by monitoring for processes that are created by commands and/or scripts they execute on a system.
Procedures#
Ensure that systems capture and retain common system level activity artifacts that might be produced. Monitor Windows systems for event codes that reflect an adversary changing passwords, adding accounts to groups, etc.