T1127

Trusted Developer Utilities Proxy Execution

Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. Utilities used for software development tasks such as MSBuild, csc.exe, vbc.exe, WinDbg, cdb.exe, tracker.exe, dnx.exe, and rcsi.exe are typically signed with legitimate Microsoft certificates, allowing them to execute code and bypass application control solutions. These utilities can compile and execute inline C#, VB.NET, or native shellcode embedded in project files, scripts, or command-line arguments, effectively masquerading malicious execution as legitimate developer activity. Adversaries also leverage these tools to bypass Smart App Control by abusing the OS trust model for signed binaries that support arbitrary code execution.

Microsoft Sentinel / Defender

kusto

let TrustedDevUtils = dynamic([
  "msbuild.exe", "csc.exe", "vbc.exe", "jsc.exe",
  "dnx.exe", "rcsi.exe", "tracker.exe",
  "cdb.exe", "windbg.exe", "kd.exe", "ntsd.exe",
  "msdeploy.exe", "xwizard.exe", "mshta.exe"
]);
let SuspiciousParents = dynamic([
  "winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe",
  "msedge.exe", "chrome.exe", "firefox.exe", "iexplore.exe",
  "wscript.exe", "cscript.exe", "mshta.exe", "cmd.exe",
  "powershell.exe", "pwsh.exe"
]);
let SuspiciousPaths = dynamic([
  "\\Temp\\", "\\AppData\\Local\\Temp\\", "\\AppData\\Roaming\\",
  "\\ProgramData\\", "\\Users\\Public\\", "\\Downloads\\"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (TrustedDevUtils)
| extend LaunchedBySuspiciousParent = InitiatingProcessFileName in~ (SuspiciousParents)
| extend FileFromSuspiciousPath = ProcessCommandLine has_any (SuspiciousPaths)
| extend MSBuildInlineTask = FileName =~ "msbuild.exe" and ProcessCommandLine has_any (".csproj", ".proj", ".xml", ".targets", ".tasks")
| extend CompilerFromTemp = FileName in~ ("csc.exe", "vbc.exe", "jsc.exe") and ProcessCommandLine has_any (SuspiciousPaths)
| extend DebuggerShellcode = FileName in~ ("cdb.exe", "windbg.exe", "ntsd.exe", "kd.exe") and ProcessCommandLine has_any ("-pd", "-pv", "-cf", "-c ")
| extend TrackerExec = FileName =~ "tracker.exe" and ProcessCommandLine has_any ("/d3", "/dumpstartuplogging", ".dll", ".exe")
| extend RareUtility = FileName in~ ("dnx.exe", "rcsi.exe")
| where LaunchedBySuspiciousParent
     or FileFromSuspiciousPath
     or CompilerFromTemp
     or DebuggerShellcode
     or TrackerExec
     or RareUtility
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         FolderPath,
         LaunchedBySuspiciousParent, FileFromSuspiciousPath, MSBuildInlineTask,
         CompilerFromTemp, DebuggerShellcode, TrackerExec, RareUtility
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Developer workstations where engineers legitimately invoke MSBuild, csc.exe, or vbc.exe from scripts and IDE terminal sessions
CI/CD agents (Azure DevOps, Jenkins, TeamCity) that build .NET code using MSBuild or csc.exe — often running as SYSTEM or a service account from non-standard working directories
IT automation frameworks that compile helper DLLs on-demand from scripts (e.g., some Ansible Windows modules use inline C# via csc.exe)
Debugging and crash analysis workflows where WinDbg or cdb.exe is legitimately invoked by developers or support engineers
Visual Studio and Roslyn toolchain processes that compile code from user profile temp directories during incremental builds

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\msbuild.exe" OR Image="*\\csc.exe" OR Image="*\\vbc.exe" OR Image="*\\jsc.exe"
   OR Image="*\\dnx.exe" OR Image="*\\rcsi.exe" OR Image="*\\tracker.exe"
   OR Image="*\\cdb.exe" OR Image="*\\windbg.exe" OR Image="*\\kd.exe" OR Image="*\\ntsd.exe"
   OR Image="*\\msdeploy.exe")
| eval SuspiciousParent=if(match(ParentImage, "(?i)(winword|excel|powerpnt|outlook|msedge|chrome|firefox|iexplore|wscript|cscript|mshta|powershell|pwsh)\.exe"), 1, 0)
| eval TempPathArg=if(match(CommandLine, "(?i)(\\\\temp\\\\|\\\\appdata\\\\local\\\\temp\\\\|\\\\appdata\\\\roaming\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\|\\\\downloads\\\\)"), 1, 0)
| eval MSBuildInlineTask=if(match(Image, "(?i)msbuild\.exe") AND match(CommandLine, "(?i)(\.csproj|\.proj|\.xml|\.targets|\.tasks)"), 1, 0)
| eval DebuggerShellcode=if(match(Image, "(?i)(cdb|windbg|ntsd|kd)\.exe") AND match(CommandLine, "(?i)(-pd|-pv|-cf|-c\s)"), 1, 0)
| eval TrackerExec=if(match(Image, "(?i)tracker\.exe") AND match(CommandLine, "(?i)(\/d3|\/dumpstartuplogging|\.dll|\.exe)"), 1, 0)
| eval RareUtility=if(match(Image, "(?i)(dnx|rcsi)\.exe"), 1, 0)
| eval SuspicionScore=SuspiciousParent + TempPathArg + MSBuildInlineTask + DebuggerShellcode + TrackerExec + RareUtility
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        SuspiciousParent, TempPathArg, MSBuildInlineTask, DebuggerShellcode,
        TrackerExec, RareUtility, SuspicionScore
| sort - SuspicionScore, - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Developer workstations with local build pipelines invoking MSBuild, csc.exe, or vbc.exe from non-standard paths
CI/CD build agents running as service accounts that compile .NET projects using MSBuild from temp staging directories
IT automation tools (Ansible, Chef) using inline C# compilation via csc.exe for Windows module execution
Crash dump analysis and reverse engineering workflows where cdb.exe or WinDbg is used legitimately by security or engineering teams
Roslyn-based IDE incremental compilation writing temporary assemblies to AppData or Temp directories during development

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  QIDNAME(qid) AS event_name,
  "Process Name" AS process_name,
  "Process Command Line" AS command_line,
  "Parent Process Name" AS parent_process_name,
  CASE
    WHEN LOWER("Parent Process Name") MATCHES '(winword|excel|powerpnt|outlook|msedge|chrome|firefox|iexplore|wscript|cscript|mshta|powershell|pwsh)\.exe' THEN 1
    ELSE 0
  END AS suspicious_parent,
  CASE
    WHEN LOWER("Process Command Line") MATCHES '(\\\\temp\\\\|\\\\appdata\\\\local\\\\temp\\\\|\\\\appdata\\\\roaming\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\|\\\\downloads\\\\)' THEN 1
    ELSE 0
  END AS temp_path_arg,
  CASE
    WHEN LOWER("Process Name") = 'msbuild.exe' AND LOWER("Process Command Line") MATCHES '(\.csproj|\.proj|\.xml|\.targets|\.tasks)' THEN 1
    ELSE 0
  END AS msbuild_inline_task,
  CASE
    WHEN LOWER("Process Name") MATCHES '(cdb|windbg|ntsd|kd)\.exe' AND LOWER("Process Command Line") MATCHES '(-pd|-pv|-cf|-c )' THEN 1
    ELSE 0
  END AS debugger_shellcode,
  CASE
    WHEN LOWER("Process Name") = 'tracker.exe' AND LOWER("Process Command Line") MATCHES '(/d3|/dumpstartuplogging|\.dll|\.exe)' THEN 1
    ELSE 0
  END AS tracker_exec,
  CASE
    WHEN LOWER("Process Name") MATCHES '(dnx|rcsi)\.exe' THEN 1
    ELSE 0
  END AS rare_utility
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND LOWER("Process Name") MATCHES '(msbuild|csc|vbc|jsc|dnx|rcsi|tracker|cdb|windbg|kd|ntsd|msdeploy|xwizard|mshta)\.exe'
  AND (
    LOWER("Parent Process Name") MATCHES '(winword|excel|powerpnt|outlook|msedge|chrome|firefox|iexplore|wscript|cscript|mshta|powershell|pwsh)\.exe'
    OR LOWER("Process Command Line") MATCHES '(\\\\temp\\\\|\\\\appdata\\\\local\\\\temp\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\|\\\\downloads\\\\)'
    OR (LOWER("Process Name") = 'msbuild.exe' AND LOWER("Process Command Line") MATCHES '(\.csproj|\.proj|\.xml|\.targets|\.tasks)')
    OR (LOWER("Process Name") MATCHES '(cdb|windbg|ntsd|kd)\.exe' AND LOWER("Process Command Line") MATCHES '(-pd|-pv|-cf|-c )')
    OR (LOWER("Process Name") = 'tracker.exe' AND LOWER("Process Command Line") MATCHES '(/d3|/dumpstartuplogging|\.dll)')
    OR LOWER("Process Name") MATCHES '(dnx|rcsi)\.exe'
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LAST 10000

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log Sysmon for Windows

Required Tables

events

False Positives

Legitimate developer workstations running MSBuild or csc.exe from Visual Studio or JetBrains IDEs that store temp build artifacts under AppData paths
Automated patch management tools that invoke msdeploy.exe or msbuild.exe from ProgramData directories for application updates
Security teams running WinDbg or cdb.exe with standard debugging flags against monitored endpoints during kernel or crash dump analysis

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| where EventID = 1 OR EventID = 4688
| parse field=Image "*\\*" as drive, process_image nodrop
| parse field=ParentImage "*\\*" as parent_drive, parent_image nodrop
| where process_image in ("msbuild.exe", "csc.exe", "vbc.exe", "jsc.exe", "dnx.exe", "rcsi.exe", "tracker.exe", "cdb.exe", "windbg.exe", "kd.exe", "ntsd.exe", "msdeploy.exe", "xwizard.exe", "mshta.exe")
| if (matches(toLowerCase(ParentImage), ".*(winword|excel|powerpnt|outlook|msedge|chrome|firefox|iexplore|wscript|cscript|mshta|powershell|pwsh)\.exe.*"), 1, 0) as suspicious_parent
| if (matches(toLowerCase(CommandLine), ".*(\\\\temp\\\\|\\\\appdata\\\\local\\\\temp\\\\|\\\\appdata\\\\roaming\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\|\\\\downloads\\\\).*"), 1, 0) as temp_path_arg
| if (process_image="msbuild.exe" and matches(toLowerCase(CommandLine), ".*(\x2ecsproj|\x2eproj|\x2exml|\x2etargets|\x2etasks).*"), 1, 0) as msbuild_inline_task
| if (matches(toLowerCase(process_image), ".*(cdb|windbg|ntsd|kd)\.exe.*") and matches(CommandLine, ".*(-pd|-pv|-cf|-c ).*"), 1, 0) as debugger_shellcode
| if (process_image="tracker.exe" and matches(toLowerCase(CommandLine), ".*/d3|/dumpstartuplogging|\.dll.*"), 1, 0) as tracker_exec
| if (process_image in ("dnx.exe", "rcsi.exe"), 1, 0) as rare_utility
| where suspicious_parent + temp_path_arg + msbuild_inline_task + debugger_shellcode + tracker_exec + rare_utility > 0
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, suspicious_parent, temp_path_arg, msbuild_inline_task, debugger_shellcode, tracker_exec, rare_utility
| sort by _messageTime desc

high severity high confidence

Data Sources

Windows Sysmon (Event ID 1) Windows Security Event Log (Event ID 4688) Sumo Logic Cloud SIEM

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Build server agents (Jenkins, TeamCity, Azure DevOps) that compile code using msbuild.exe or csc.exe with project files stored in user temp directories
Microsoft Visual Studio remote debugger sessions where devenv.exe spawns cdb.exe or ntsd.exe with debug flags as part of a legitimate debugging workflow
Enterprise software distribution systems (LANDesk, Ivanti, SCCM) using msdeploy.exe with arguments referencing ProgramData staging directories

Google Chronicle / SecOps

yaral

rule trusted_dev_util_proxy_execution {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects MITRE ATT&CK T1127 - Trusted Developer Utilities Proxy Execution. Identifies MSBuild, csc.exe, cdb.exe, tracker.exe and related tools launched by suspicious parents or with malicious arguments."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1127"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-18"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i)(msbuild|csc|vbc|jsc|dnx|rcsi|tracker|cdb|windbg|kd|ntsd|msdeploy|xwizard|mshta)\.exe$/
    (
      $e.principal.process.parent_process.file.full_path = /(?i)(winword|excel|powerpnt|outlook|msedge|chrome|firefox|iexplore|wscript|cscript|mshta|cmd|powershell|pwsh)\.exe$/
      or
      $e.target.process.command_line = /(?i)(\\temp\\|\\appdata\\local\\temp\\|\\appdata\\roaming\\|\\programdata\\|\\users\\public\\|\\downloads\\)/
      or
      (
        $e.principal.process.file.full_path = /(?i)msbuild\.exe$/
        and
        $e.target.process.command_line = /(?i)(\x2ecsproj|\x2eproj|\x2exml|\x2etargets|\x2etasks)/
      )
      or
      (
        $e.principal.process.file.full_path = /(?i)(cdb|windbg|ntsd|kd)\.exe$/
        and
        $e.target.process.command_line = /(-pd|-pv|-cf|-c )/
      )
      or
      (
        $e.principal.process.file.full_path = /(?i)tracker\.exe$/
        and
        $e.target.process.command_line = /(?i)(/d3|/dumpstartuplogging|\.dll|\.exe)/
      )
      or
      $e.principal.process.file.full_path = /(?i)(dnx|rcsi)\.exe$/
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM Windows Sysmon via Chronicle ingestion Microsoft Defender for Endpoint via Chronicle

Required Tables

process_launch UDM events

False Positives

Automated software build systems using MSBuild with .csproj or .targets files legitimately stored under user profile directories
IT security teams running authorized kernel debugging sessions with cdb.exe or kd.exe using standard debugging arguments like -pd or -c
ClickOnce application installers that invoke msbuild.exe or csc.exe via trusted deployment mechanisms from within AppData paths during first-run setup

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName = /(?i)^(msbuild|csc|vbc|jsc|dnx|rcsi|tracker|cdb|windbg|kd|ntsd|msdeploy|xwizard|mshta)\.exe$/
| SuspiciousParent := if(ParentBaseFileName = /(?i)^(winword|excel|powerpnt|outlook|msedge|chrome|firefox|iexplore|wscript|cscript|mshta|cmd|powershell|pwsh)\.exe$/, 1, 0)
| TempPathArg := if(CommandLine = /(?i)(\\temp\\|\\appdata\\local\\temp\\|\\appdata\\roaming\\|\\programdata\\|\\users\\public\\|\\downloads\\)/, 1, 0)
| MSBuildInlineTask := if(FileName = /(?i)^msbuild\.exe$/ and CommandLine = /(?i)(\x2ecsproj|\x2eproj|\x2exml|\x2etargets|\x2etasks)/, 1, 0)
| CompilerFromTemp := if(FileName = /(?i)^(csc|vbc|jsc)\.exe$/ and CommandLine = /(?i)(\\temp\\|\\appdata\\|\\programdata\\|\\users\\public\\)/, 1, 0)
| DebuggerShellcode := if(FileName = /(?i)^(cdb|windbg|ntsd|kd)\.exe$/ and CommandLine = /(-pd|-pv|-cf|-c )/, 1, 0)
| TrackerExec := if(FileName = /(?i)^tracker\.exe$/ and CommandLine = /(?i)(\/d3|\/dumpstartuplogging|\.dll|\.exe)/, 1, 0)
| RareUtility := if(FileName = /(?i)^(dnx|rcsi)\.exe$/, 1, 0)
| SuspicionScore := SuspiciousParent + TempPathArg + MSBuildInlineTask + CompilerFromTemp + DebuggerShellcode + TrackerExec + RareUtility
| SuspicionScore > 0
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, SuspiciousParent, TempPathArg, MSBuildInlineTask, CompilerFromTemp, DebuggerShellcode, TrackerExec, RareUtility, SuspicionScore])
| sort(SuspicionScore, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR Falcon ProcessRollup2 events

Required Tables

ProcessRollup2

False Positives

Developer workstations with Visual Studio or Rider IDEs where MSBuild is frequently invoked with .csproj files from user profile paths during local builds
Security researchers using cdb.exe or WinDbg with debugging arguments (-pd, -c) as part of legitimate malware analysis or reverse engineering work on approved systems
Enterprise application packaging workflows (InstallShield, WiX, Advanced Installer) that call csc.exe or msbuild.exe from staging directories under ProgramData

Last updated: 2026-04-18 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1127 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Trusted Developer Utilities Proxy Execution

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (3)

Same Tactic: Defense Evasion

Popular Detections