T1127 - Trusted Developer Utilities Proxy Execution
Description from ATT&CK (opens in a new tab)
Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.
Atomic Tests
Atomic Test #1 - Lolbin Jsc.exe compile javascript to exe
Use jsc.exe to compile javascript code stored in scriptfile.js and output scriptfile.exe. https://lolbas-project.github.io/lolbas/Binaries/Jsc/ (opens in a new tab) https://www.phpied.com/make-your-javascript-a-windows-exe/ (opens in a new tab)
Supported Platforms: Windows
auto_generated_guid: 1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| filename | Location of the project file | path | PathToAtomicsFolder\T1127\src\hello.js |
| jscpath | Default location of jsc.exe | path | C:\Windows\Microsoft.NET\Framework\v4.0.30319 |
| jscname | Default name of jsc | path | jsc.exe |
Attack Commands: Run with command_prompt!
copy "#{filename}" %TEMP%\hello.js
#{jscpath}\#{jscname} %TEMP%\hello.jsCleanup Commands:
del %TEMP%\hello.js
del %TEMP%\hello.exeDependencies: Run with powershell!
Description: JavaScript code file must exist on disk at specified location (#{filename})
Check Prereq Commands:
if (Test-Path "#{filename}") {exit 0} else {exit 1}Get Prereq Commands:
New-Item -Type Directory (split-path "#{filename}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/hello.js" -OutFile "#{filename}"Atomic Test #2 - Lolbin Jsc.exe compile javascript to dll
Use jsc.exe to compile javascript code stored in Library.js and output Library.dll. https://lolbas-project.github.io/lolbas/Binaries/Jsc/ (opens in a new tab) https://www.phpied.com/make-your-javascript-a-windows-exe/ (opens in a new tab)
Supported Platforms: Windows
auto_generated_guid: 3fc9fea2-871d-414d-8ef6-02e85e322b80
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| filename | Location of the project file | path | PathToAtomicsFolder\T1127\src\LibHello.js |
| jscpath | Default location of jsc.exe | path | C:\Windows\Microsoft.NET\Framework\v4.0.30319 |
| jscname | Default name of jsc | path | jsc.exe |
Attack Commands: Run with command_prompt!
copy "#{filename}" %TEMP%\LibHello.js
#{jscpath}\#{jscname} /t:library %TEMP%\LibHello.jsCleanup Commands:
del %TEMP%\LibHello.js
del %TEMP%\LibHello.dllDependencies: Run with powershell!
Description: JavaScript code file must exist on disk at specified location (#{filename})
Check Prereq Commands:
if (Test-Path "#{filename}") {exit 0} else {exit 1}Get Prereq Commands:
New-Item -Type Directory (split-path "#{filename}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/LibHello.js" -OutFile "#{filename}"