Trusted Developer Utilities Proxy Execution T1127

Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.

Events covered

11 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 54 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (29 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Image23ends_with 19, contains 3, wildcard 2, ne 1, starts_with 1:\windows\microsoft.net\framework64\, :\windows\microsoft.net\framework\, :\windows\microsoft.net\frameworkarm64\, *\\framework*\\v*\\*, :\temp\
process_name22eq 17, ne 2, regex_match 2, wildcard 1msbuild.exe, certutil.exe, (?i)msbuild\.exe, bginfo.exe, cdb.exe
OriginalFileName21eq 20, in 1msbuild.exe, microsoft.workflow.compiler.exe, \sqltoolsps.exe, cdb.exe, cscript.exe
CommandLine15contains 9, regex_match 5, wildcard 1(?i)\stest\s, (?i)\s+\-(cf|cfr|premote|pd.*-pn|pn.*-pd)\s+, --eval , -a , -c
parent_process_name13eq 8, regex_match 4, in 1explorer.exe, (?i)(cmd|powershell(_ise)?|pwsh|cscript|wscript|mshta)\.exe, (?i)^appcert.exe, cscript.exe, wmiprvse.exe
EventID10eq 104688, 1, 4103, 4104
event.type10eq 10start
ParentImage6ends_with 6\aspnet_compiler.exe, \cleanapi.exe, \kavremover.exe, \mftrace.exe, \powershell.exe
EventType4eq 4start, connection_attempted, lookup_requested
Type4eq 4
process.args3eq 1, starts_with 1, wildcard 1-n, ?:\Users\*\AppData\Local\Temp\tmp*.exec.cmd, C:\Intel\, C:\PerfLogs\, C:\ProgramData\
process.code_signature.trusted2eq 1, ne 1false, true
CurrentDirectory1starts_with 1D:\, E:\, F:\
DestinationPort1eq 1443, 80
Details1eq 1, is_not_null 10x00000000

Top indicator values (257 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
process_nameeq
msbuild.exe
1215
process_nameeq
microsoft.workflow.compiler.exe
48
process_nameeq
mshta.exe
428
process_nameeq
regsvr32.exe
423
process_nameeq
rundll32.exe
455
process_nameeq
wscript.exe
426
process_nameeq
certutil.exe
322
process_nameeq
cscript.exe
322
process_nameeq
ieexec.exe
38
process_nameeq
iexpress.exe
38
process_nameeq
installutil.exe
316
process_nameeq
powershell.exe
399
process_nameeq
bginfo.exe
26
event.typeeq
start
10241
OriginalFileNameeq
msbuild.exe
710
OriginalFileNameeq
microsoft.workflow.compiler.exe
36
EventIDeq
4688
5312
EventIDeq
1
4232
CommandLineregex_match
(?i)\stest\s
33
CommandLineregex_match
(?i)\s+\-(cf|cfr|premote|pd.*-pn|pn.*-pd)\s+
22
EventTypeeq
start
316
parent_process_nameeq
explorer.exe
320
parent_process_nameeq
wmiprvse.exe
211
Imagecontains
:\windows\microsoft.net\framework64\
26
Imagecontains
:\windows\microsoft.net\framework\
26
Imagecontains
:\windows\microsoft.net\frameworkarm64\
26
Imagecontains
:\windows\microsoft.net\frameworkarm\
26
Imageends_with
\aspnet_compiler.exe
23
parent_process_nameregex_match
(?i)(cmd|powershell(_ise)?|pwsh|cscript|wscript|mshta)\.exe
22
parent_process_nameregex_match
(?i)^appcert.exe
22

Exclusions (100 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
CommandLineregex_match
(?i)\-setupcommandline
3
process_nameeq
powershell.exe
2
process_nameregex_match
(?i)\x5cprogram\sfiles(\s\(x86\))?\x5cwindows\skits\x5c10\x5c
2
CommandLinecontains
\.nuget\packages\vswhere\
1
CommandLinecontains
adobe creative cloud experience\js
1
CommandLinecontains
common\..\..\buildtools\
1
CommandLinecontains
git log --pretty=format
1
CommandLinecontains
vswhere.exe -property catalog_productsemanticversion
1
CommandLineeq
driver\DPInst_x64 /f
1
CurrentDirectorywildcard
?:\Users\*\AppData\Local\Temp\BackupBootstrapper\Logs\
1
CurrentDirectorywildcard
?:\Users\*\AppData\Local\Temp\QBTools\
1
CurrentDirectorywildcard
?:\Windows\TempInst\*
1
EventDatacontains
gc_service.exe
1
EventDatacontains
gc_worker.exe
1
Imagestarts_with
c:\\program files (x86)\\microsoft visual studio
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 21 rules

Elastic 15 rules

Splunk 16 rules

Kusto 2 rules