Detect Trusted Developer Utilities Proxy Execution in IBM QRadar
Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. Utilities used for software development tasks such as MSBuild, csc.exe, vbc.exe, WinDbg, cdb.exe, tracker.exe, dnx.exe, and rcsi.exe are typically signed with legitimate Microsoft certificates, allowing them to execute code and bypass application control solutions. These utilities can compile and execute inline C#, VB.NET, or native shellcode embedded in project files, scripts, or command-line arguments, effectively masquerading malicious execution as legitimate developer activity. Adversaries also leverage these tools to bypass Smart App Control by abusing the OS trust model for signed binaries that support arbitrary code execution.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Canonical reference
- https://attack.mitre.org/techniques/T1127/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
username,
sourceip,
QIDNAME(qid) AS event_name,
"Process Name" AS process_name,
"Process Command Line" AS command_line,
"Parent Process Name" AS parent_process_name,
CASE
WHEN LOWER("Parent Process Name") MATCHES '(winword|excel|powerpnt|outlook|msedge|chrome|firefox|iexplore|wscript|cscript|mshta|powershell|pwsh)\.exe' THEN 1
ELSE 0
END AS suspicious_parent,
CASE
WHEN LOWER("Process Command Line") MATCHES '(\\\\temp\\\\|\\\\appdata\\\\local\\\\temp\\\\|\\\\appdata\\\\roaming\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\|\\\\downloads\\\\)' THEN 1
ELSE 0
END AS temp_path_arg,
CASE
WHEN LOWER("Process Name") = 'msbuild.exe' AND LOWER("Process Command Line") MATCHES '(\.csproj|\.proj|\.xml|\.targets|\.tasks)' THEN 1
ELSE 0
END AS msbuild_inline_task,
CASE
WHEN LOWER("Process Name") MATCHES '(cdb|windbg|ntsd|kd)\.exe' AND LOWER("Process Command Line") MATCHES '(-pd|-pv|-cf|-c )' THEN 1
ELSE 0
END AS debugger_shellcode,
CASE
WHEN LOWER("Process Name") = 'tracker.exe' AND LOWER("Process Command Line") MATCHES '(/d3|/dumpstartuplogging|\.dll|\.exe)' THEN 1
ELSE 0
END AS tracker_exec,
CASE
WHEN LOWER("Process Name") MATCHES '(dnx|rcsi)\.exe' THEN 1
ELSE 0
END AS rare_utility
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
AND LOWER("Process Name") MATCHES '(msbuild|csc|vbc|jsc|dnx|rcsi|tracker|cdb|windbg|kd|ntsd|msdeploy|xwizard|mshta)\.exe'
AND (
LOWER("Parent Process Name") MATCHES '(winword|excel|powerpnt|outlook|msedge|chrome|firefox|iexplore|wscript|cscript|mshta|powershell|pwsh)\.exe'
OR LOWER("Process Command Line") MATCHES '(\\\\temp\\\\|\\\\appdata\\\\local\\\\temp\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\|\\\\downloads\\\\)'
OR (LOWER("Process Name") = 'msbuild.exe' AND LOWER("Process Command Line") MATCHES '(\.csproj|\.proj|\.xml|\.targets|\.tasks)')
OR (LOWER("Process Name") MATCHES '(cdb|windbg|ntsd|kd)\.exe' AND LOWER("Process Command Line") MATCHES '(-pd|-pv|-cf|-c )')
OR (LOWER("Process Name") = 'tracker.exe' AND LOWER("Process Command Line") MATCHES '(/d3|/dumpstartuplogging|\.dll)')
OR LOWER("Process Name") MATCHES '(dnx|rcsi)\.exe'
)
AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LAST 10000Detects trusted developer utility proxy execution (T1127) by monitoring process creation events for MSBuild, csc.exe, cdb.exe, tracker.exe, and related tools launched under suspicious conditions including browser/Office parents, temp path arguments, inline task extensions, debugger shellcode flags, and rare utilities.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate developer workstations running MSBuild or csc.exe from Visual Studio or JetBrains IDEs that store temp build artifacts under AppData paths
- Automated patch management tools that invoke msdeploy.exe or msbuild.exe from ProgramData directories for application updates
- Security teams running WinDbg or cdb.exe with standard debugging flags against monitored endpoints during kernel or crash dump analysis
Other platforms for T1127
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MSBuild Inline Task Execution via Malicious Project File
Expected signal: Sysmon Event ID 1: Process Create for MSBuild.exe with CommandLine referencing %TEMP%\malicious.csproj. Sysmon Event ID 11: File Create for %TEMP%\malicious.csproj. Sysmon Event ID 1 child: cmd.exe spawned by MSBuild.exe with /c whoami argument. Sysmon Event ID 11: File Create for %TEMP%\msbuild-test.txt. Security Event ID 4688 for both MSBuild.exe and cmd.exe if command line auditing is enabled.
- Test 2On-the-Fly C# Compilation and Execution via csc.exe
Expected signal: Sysmon Event ID 11: File Create for %TEMP%\df00tech_test.cs. Sysmon Event ID 1: Process Create for csc.exe with CommandLine referencing %TEMP% source and output paths. Sysmon Event ID 11: File Create for %TEMP%\df00tech_test.exe and %TEMP%\df00tech_test.pdb. Sysmon Event ID 1: Process Create for %TEMP%\df00tech_test.exe (unsigned binary from temp path). AmCache will record the new executable's first execution.
- Test 3Shellcode Execution via CDB.exe Debugger with Command Script Flag
Expected signal: Sysmon Event ID 1: Process Create for cdb.exe with CommandLine containing -c, -pv, and -pd flags. Sysmon Event ID 1: Process Create for notepad.exe spawned by cdb.exe. Security Event ID 4688 for cdb.exe if command line auditing enabled. The -c flag content (.echo) will appear in the command line.
- Test 4Tracker.exe Proxy Execution via /d3 Logging Flag
Expected signal: Sysmon Event ID 1: Process Create for Tracker.exe with CommandLine containing /d3 and referencing a DLL. Sysmon Event ID 7: Image Load events for shell32.dll under the Tracker.exe process context. Sysmon Event ID 1: Process Create for whoami.exe as a child of Tracker.exe. Security Event ID 4688 for Tracker.exe and whoami.exe.
References (12)
- https://attack.mitre.org/techniques/T1127/
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/
- https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
- https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/
- https://web.archive.org/web/20160816135945/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
- https://www.elastic.co/security-labs/dismantling-smart-app-control
- https://support.microsoft.com/en-us/windows/smart-app-control-frequently-asked-questions-285ea03d-fa88-4d56-882e-6698afdb7003
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent.yml
- https://learn.microsoft.com/en-us/visualstudio/msbuild/msbuild-inline-tasks
- https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/cdb-command-line-options
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msbuild/
Unlock Pro Content
Get the full detection package for T1127 including response playbook, investigation guide, and atomic red team tests.