T1127 Splunk · SPL

Detect Trusted Developer Utilities Proxy Execution in Splunk

Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. Utilities used for software development tasks such as MSBuild, csc.exe, vbc.exe, WinDbg, cdb.exe, tracker.exe, dnx.exe, and rcsi.exe are typically signed with legitimate Microsoft certificates, allowing them to execute code and bypass application control solutions. These utilities can compile and execute inline C#, VB.NET, or native shellcode embedded in project files, scripts, or command-line arguments, effectively masquerading malicious execution as legitimate developer activity. Adversaries also leverage these tools to bypass Smart App Control by abusing the OS trust model for signed binaries that support arbitrary code execution.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1127 Trusted Developer Utilities Proxy Execution
Canonical reference
https://attack.mitre.org/techniques/T1127/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\msbuild.exe" OR Image="*\\csc.exe" OR Image="*\\vbc.exe" OR Image="*\\jsc.exe"
   OR Image="*\\dnx.exe" OR Image="*\\rcsi.exe" OR Image="*\\tracker.exe"
   OR Image="*\\cdb.exe" OR Image="*\\windbg.exe" OR Image="*\\kd.exe" OR Image="*\\ntsd.exe"
   OR Image="*\\msdeploy.exe")
| eval SuspiciousParent=if(match(ParentImage, "(?i)(winword|excel|powerpnt|outlook|msedge|chrome|firefox|iexplore|wscript|cscript|mshta|powershell|pwsh)\.exe"), 1, 0)
| eval TempPathArg=if(match(CommandLine, "(?i)(\\\\temp\\\\|\\\\appdata\\\\local\\\\temp\\\\|\\\\appdata\\\\roaming\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\|\\\\downloads\\\\)"), 1, 0)
| eval MSBuildInlineTask=if(match(Image, "(?i)msbuild\.exe") AND match(CommandLine, "(?i)(\.csproj|\.proj|\.xml|\.targets|\.tasks)"), 1, 0)
| eval DebuggerShellcode=if(match(Image, "(?i)(cdb|windbg|ntsd|kd)\.exe") AND match(CommandLine, "(?i)(-pd|-pv|-cf|-c\s)"), 1, 0)
| eval TrackerExec=if(match(Image, "(?i)tracker\.exe") AND match(CommandLine, "(?i)(\/d3|\/dumpstartuplogging|\.dll|\.exe)"), 1, 0)
| eval RareUtility=if(match(Image, "(?i)(dnx|rcsi)\.exe"), 1, 0)
| eval SuspicionScore=SuspiciousParent + TempPathArg + MSBuildInlineTask + DebuggerShellcode + TrackerExec + RareUtility
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        SuspiciousParent, TempPathArg, MSBuildInlineTask, DebuggerShellcode,
        TrackerExec, RareUtility, SuspicionScore
| sort - SuspicionScore, - _time
high severity high confidence

Detects suspicious execution of trusted developer utilities via Sysmon Event ID 1 (Process Creation). Evaluates each process creation against six detection branches: suspicious parent process lineage, temp/user path references in arguments, MSBuild inline task file extensions, debugger-mode shellcode flags for cdb/WinDbg, tracker.exe abuse patterns, and rare utilities (dnx.exe, rcsi.exe) with virtually no legitimate enterprise use. A cumulative suspicion score helps analysts triage severity — score >= 2 indicates likely malicious activity.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Developer workstations with local build pipelines invoking MSBuild, csc.exe, or vbc.exe from non-standard paths
  • CI/CD build agents running as service accounts that compile .NET projects using MSBuild from temp staging directories
  • IT automation tools (Ansible, Chef) using inline C# compilation via csc.exe for Windows module execution
  • Crash dump analysis and reverse engineering workflows where cdb.exe or WinDbg is used legitimately by security or engineering teams
  • Roslyn-based IDE incremental compilation writing temporary assemblies to AppData or Temp directories during development
Download portable Sigma rule (.yml)

Other platforms for T1127

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1MSBuild Inline Task Execution via Malicious Project File

    Expected signal: Sysmon Event ID 1: Process Create for MSBuild.exe with CommandLine referencing %TEMP%\malicious.csproj. Sysmon Event ID 11: File Create for %TEMP%\malicious.csproj. Sysmon Event ID 1 child: cmd.exe spawned by MSBuild.exe with /c whoami argument. Sysmon Event ID 11: File Create for %TEMP%\msbuild-test.txt. Security Event ID 4688 for both MSBuild.exe and cmd.exe if command line auditing is enabled.

  2. Test 2On-the-Fly C# Compilation and Execution via csc.exe

    Expected signal: Sysmon Event ID 11: File Create for %TEMP%\df00tech_test.cs. Sysmon Event ID 1: Process Create for csc.exe with CommandLine referencing %TEMP% source and output paths. Sysmon Event ID 11: File Create for %TEMP%\df00tech_test.exe and %TEMP%\df00tech_test.pdb. Sysmon Event ID 1: Process Create for %TEMP%\df00tech_test.exe (unsigned binary from temp path). AmCache will record the new executable's first execution.

  3. Test 3Shellcode Execution via CDB.exe Debugger with Command Script Flag

    Expected signal: Sysmon Event ID 1: Process Create for cdb.exe with CommandLine containing -c, -pv, and -pd flags. Sysmon Event ID 1: Process Create for notepad.exe spawned by cdb.exe. Security Event ID 4688 for cdb.exe if command line auditing enabled. The -c flag content (.echo) will appear in the command line.

  4. Test 4Tracker.exe Proxy Execution via /d3 Logging Flag

    Expected signal: Sysmon Event ID 1: Process Create for Tracker.exe with CommandLine containing /d3 and referencing a DLL. Sysmon Event ID 7: Image Load events for shell32.dll under the Tracker.exe process context. Sysmon Event ID 1: Process Create for whoami.exe as a child of Tracker.exe. Security Event ID 4688 for Tracker.exe and whoami.exe.

Last updated: 2026-04-18 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1127 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1127.001MSBuildT1127.002ClickOnceT1127.003JamPlusT1218System Binary Proxy ExecutionT1218.011Rundll32T1059.001PowerShellT1059.003Windows Command ShellT1105Ingress Tool TransferT1027.009Embedded PayloadsT1553.002Code SigningT1562.001Disable or Modify Tools

Same Tactic: Defense Evasion

Popular Detections