T1127 - Trusted Developer Utilities Proxy Execution

Description from ATT&CK

Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.

Atomic Tests


Atomic Test #1 - Lolbin Jsc.exe compile javascript to exe

Use jsc.exe to compile javascript code stored in scriptfile.js and output scriptfile.exe. https://lolbas-project.github.io/lolbas/Binaries/Jsc/ https://www.phpied.com/make-your-javascript-a-windows-exe/

Supported Platforms: Windows

auto_generated_guid: 1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | filename | Location of the project file | path | PathToAtomicsFolder\T1127\src\hello.js| | jscpath | Default location of jsc.exe | path | C:\Windows\Microsoft.NET\Framework\v4.0.30319| | jscname | Default name of jsc | path | jsc.exe|

Attack Commands: Run with
1
command_prompt
!

copy "#{filename}" %TEMP%\hello.js
#{jscpath}\#{jscname} %TEMP%\hello.js

Cleanup Commands:

del %TEMP%\hello.js
del %TEMP%\hello.exe

Dependencies: Run with
1
powershell
!

Description: JavaScript code file must exist on disk at specified location (#{filename})
Check Prereq Commands:
1
if (Test-Path "#{filename}") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
New-Item -Type Directory (split-path "#{filename}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/hello.js" -OutFile "#{filename}"



Atomic Test #2 - Lolbin Jsc.exe compile javascript to dll

Use jsc.exe to compile javascript code stored in Library.js and output Library.dll. https://lolbas-project.github.io/lolbas/Binaries/Jsc/ https://www.phpied.com/make-your-javascript-a-windows-exe/

Supported Platforms: Windows

auto_generated_guid: 3fc9fea2-871d-414d-8ef6-02e85e322b80

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | filename | Location of the project file | path | PathToAtomicsFolder\T1127\src\LibHello.js| | jscpath | Default location of jsc.exe | path | C:\Windows\Microsoft.NET\Framework\v4.0.30319| | jscname | Default name of jsc | path | jsc.exe|

Attack Commands: Run with
1
command_prompt
!

copy "#{filename}" %TEMP%\LibHello.js
#{jscpath}\#{jscname} /t:library %TEMP%\LibHello.js

Cleanup Commands:

del %TEMP%\LibHello.js
del %TEMP%\LibHello.dll

Dependencies: Run with
1
powershell
!

Description: JavaScript code file must exist on disk at specified location (#{filename})
Check Prereq Commands:
1
if (Test-Path "#{filename}") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
New-Item -Type Directory (split-path "#{filename}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/LibHello.js" -OutFile "#{filename}"