Which SIEM platforms have a T1127 detection rule?

df00tech provides T1127 (Trusted Developer Utilities Proxy Execution) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Trusted Developer Utilities Proxy Execution (T1127)?

Detecting Trusted Developer Utilities Proxy Execution requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1127 detection?

The T1127 detection is rated high severity with high confidence.

What are common false positives for T1127?

Common false positives for T1127 include: Developer workstations where engineers legitimately invoke MSBuild, csc.exe, or vbc.exe from scripts and IDE terminal sessions; CI/CD agents (Azure DevOps, Jenkins, TeamCity) that build .NET code using MSBuild or csc.exe — often running as SYSTEM or a service account from non-standard working directories; IT automation frameworks that compile helper DLLs on-demand from scripts (e.g., some Ansible Windows modules use inline C# via csc.exe).

T1127 Elastic Security · Elastic

Detect Trusted Developer Utilities Proxy Execution in Elastic Security

Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. Utilities used for software development tasks such as MSBuild, csc.exe, vbc.exe, WinDbg, cdb.exe, tracker.exe, dnx.exe, and rcsi.exe are typically signed with legitimate Microsoft certificates, allowing them to execute code and bypass application control solutions. These utilities can compile and execute inline C#, VB.NET, or native shellcode embedded in project files, scripts, or command-line arguments, effectively masquerading malicious execution as legitimate developer activity. Adversaries also leverage these tools to bypass Smart App Control by abusing the OS trust model for signed binaries that support arbitrary code execution.

MITRE ATT&CK

Tactic: Defense Evasion
Technique: T1127 Trusted Developer Utilities Proxy Execution
Canonical reference: https://attack.mitre.org/techniques/T1127/

Elastic Detection Query

Elastic Security (Elastic)

eql

sequence by host.id with maxspan=5m
  [process where event.type == "start" and
   process.name : ("msbuild.exe", "csc.exe", "vbc.exe", "jsc.exe", "dnx.exe", "rcsi.exe", "tracker.exe", "cdb.exe", "windbg.exe", "kd.exe", "ntsd.exe", "msdeploy.exe", "xwizard.exe", "mshta.exe") and
   (
     process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "msedge.exe", "chrome.exe", "firefox.exe", "iexplore.exe", "wscript.exe", "cscript.exe", "mshta.exe", "cmd.exe", "powershell.exe", "pwsh.exe") or
     process.args : ("*\\Temp\\*", "*\\AppData\\Local\\Temp\\*", "*\\AppData\\Roaming\\*", "*\\ProgramData\\*", "*\\Users\\Public\\*", "*\\Downloads\\*") or
     (process.name : "msbuild.exe" and process.args : ("*.csproj", "*.proj", "*.xml", "*.targets", "*.tasks")) or
     (process.name : ("csc.exe", "vbc.exe", "jsc.exe") and process.args : ("*\\Temp\\*", "*\\AppData\\*", "*\\ProgramData\\*", "*\\Users\\Public\\*")) or
     (process.name : ("cdb.exe", "windbg.exe", "ntsd.exe", "kd.exe") and process.args : ("-pd", "-pv", "-cf", "-c ")) or
     (process.name : "tracker.exe" and process.args : ("/d3", "/dumpstartuplogging", "*.dll", "*.exe")) or
     process.name : ("dnx.exe", "rcsi.exe")
   )
  ]

high severity high confidence

Detects abuse of trusted Microsoft developer utilities (MSBuild, csc.exe, cdb.exe, tracker.exe, etc.) for proxy execution of malicious payloads. Triggers on suspicious parent processes, arguments referencing writable paths, inline task file extensions, debugger shellcode flags, or rare utilities like dnx.exe and rcsi.exe.

Data Sources

Elastic Endpoint SecurityWindows Sysmon via Elastic AgentAuditbeat

Required Tables

logs-endpoint.events.process-*winlogbeat-*filebeat-*

False Positives & Tuning

Legitimate software build pipelines that invoke MSBuild or csc.exe from CI/CD agents running under user profiles in AppData paths
Security researchers or developers debugging applications using cdb.exe or WinDbg with -pd or -cf flags in lab environments
Enterprise deployment tools (e.g., SCCM, Ansible) launching msdeploy.exe or msbuild.exe from ProgramData directories as part of software packaging

Download portable Sigma rule (.yml)

Other platforms for T1127

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1MSBuild Inline Task Execution via Malicious Project File
Expected signal: Sysmon Event ID 1: Process Create for MSBuild.exe with CommandLine referencing %TEMP%\malicious.csproj. Sysmon Event ID 11: File Create for %TEMP%\malicious.csproj. Sysmon Event ID 1 child: cmd.exe spawned by MSBuild.exe with /c whoami argument. Sysmon Event ID 11: File Create for %TEMP%\msbuild-test.txt. Security Event ID 4688 for both MSBuild.exe and cmd.exe if command line auditing is enabled.
Test 2On-the-Fly C# Compilation and Execution via csc.exe
Expected signal: Sysmon Event ID 11: File Create for %TEMP%\df00tech_test.cs. Sysmon Event ID 1: Process Create for csc.exe with CommandLine referencing %TEMP% source and output paths. Sysmon Event ID 11: File Create for %TEMP%\df00tech_test.exe and %TEMP%\df00tech_test.pdb. Sysmon Event ID 1: Process Create for %TEMP%\df00tech_test.exe (unsigned binary from temp path). AmCache will record the new executable's first execution.
Test 3Shellcode Execution via CDB.exe Debugger with Command Script Flag
Expected signal: Sysmon Event ID 1: Process Create for cdb.exe with CommandLine containing -c, -pv, and -pd flags. Sysmon Event ID 1: Process Create for notepad.exe spawned by cdb.exe. Security Event ID 4688 for cdb.exe if command line auditing enabled. The -c flag content (.echo) will appear in the command line.
Test 4Tracker.exe Proxy Execution via /d3 Logging Flag
Expected signal: Sysmon Event ID 1: Process Create for Tracker.exe with CommandLine containing /d3 and referencing a DLL. Sysmon Event ID 7: Image Load events for shell32.dll under the Tracker.exe process context. Sysmon Event ID 1: Process Create for whoami.exe as a child of Tracker.exe. Security Event ID 4688 for Tracker.exe and whoami.exe.

Last updated: 2026-04-18 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1127 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Trusted Developer Utilities Proxy Execution in Elastic Security

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1127

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (3)

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1127

Testing Methodology

Unlock Pro Content

Related Detections

Sub-techniques (3)

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox