045. Adversaries Abuse Trusted Developer Utilities for Proxy Execution
Hello everyone! Let's talk about another MITRE ATT&CK technique, which don't have many procedure examples - T1127: Trusted Developer Utilities Proxy Execution.
In a campaign, tracked by Elastic Security Labs as REF7707, the adversary abused Microsoft Console Debugger to execute malicious shellcode. The tool was renamed to fontdrvhost.exe and used to execute shellcode delivered in the config.ini file:
C:\ProgramData\fontdrvhost.exe -cf C:\ProgramData\config.ini -o C:\ProgramData\fontdrvhost.exe
So, what to look for:
- Executables with "CDB.Exe" as original file name, but not actual file name
- Microsoft Console Debugger executions with -cf arguments
Also, you may focus on -pd -pn arguments as it enables adversary to run a shell command.
See you tomorrow!
Comments
Post a Comment