title: Trusted Developer Utilities Proxy Execution (T1127)
id: df00tech-t1127
status: experimental
description: "Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. Utilities used for software development tasks such as MSBuild, csc.exe, vbc.exe, WinDbg, cdb.exe, tracker.exe, dnx.exe, and rcsi.exe are typically signed with legitimate Microsoft certificates, allowing them to execute code and bypass application control solutions. These utilities can compile and execute inline C#, VB.NET, or native shellcode embedded in project files, scripts, or command-line arguments, effectively masquerading malicious execution as legitimate developer activity. Adversaries also leverage these tools to bypass Smart App Control by abusing the OS trust model for signed binaries that support arbitrary code execution."
references:
  - https://attack.mitre.org/techniques/T1127/
  - https://df00tech.com/detections/T1127
author: df00tech
date: 2026/04/18
tags:
  - attack.t1127
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Developer workstations where engineers legitimately invoke MSBuild, csc.exe, or vbc.exe from scripts and IDE terminal sessions"
  - "CI/CD agents (Azure DevOps, Jenkins, TeamCity) that build .NET code using MSBuild or csc.exe — often running as SYSTEM or a service account from non-standard working directories"
  - "IT automation frameworks that compile helper DLLs on-demand from scripts (e.g., some Ansible Windows modules use inline C# via csc.exe)"
  - Debugging and crash analysis workflows where WinDbg or cdb.exe is legitimately invoked by developers or support engineers
  - Visual Studio and Roslyn toolchain processes that compile code from user profile temp directories during incremental builds
level: high