trusted_developer_utilities_proxy_execution.yml

name: Trusted Developer Utilities Proxy Execution
id: 270a67a6-55d8-11eb-ae93-0242ac130002
version: 1
date: '2021-01-12'
author: Michael Haag, Splunk
description: Monitor and detect behaviors used by attackers who leverage trusted developer
  utilities to execute malicious code.
narrative: 'Adversaries may take advantage of trusted developer utilities to proxy
  execution of malicious payloads. There are many utilities used for software development
  related tasks that can be used to execute code in various forms to assist in development,
  debugging, and reverse engineering. These utilities may often be signed with legitimate
  certificates that allow them to execute on a system and proxy execution of malicious
  code through a trusted process that effectively bypasses application control solutions.\

  The searches in this story help you detect and investigate suspicious activity that
  may indicate that an adversary is leveraging microsoft.workflow.compiler.exe to
  execute malicious code.'
references:
- https://attack.mitre.org/techniques/T1127/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
- https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/
tags:
  analytic_story: Trusted Developer Utilities Proxy Execution
  category:
  - Adversary Tactics
  product:
  - Splunk Enterprise
  - Splunk Enterprise Security
  - Splunk Cloud
  usecase: Advanced Threat Detection