045. Adversaries Abuse Trusted Developer Utilities for Proxy Execution

Hello everyone! Let's talk about another MITRE ATT&CK technique, which don't have many procedure examples - T1127: Trusted Developer Utilities Proxy Execution.


In a campaign, tracked by Elastic Security Labs as REF7707, the adversary abused Microsoft Console Debugger to execute malicious shellcode. The tool was renamed to fontdrvhost.exe and used to execute shellcode delivered in the config.ini file:

C:\ProgramData\fontdrvhost.exe -cf C:\ProgramData\config.ini -o C:\ProgramData\fontdrvhost.exe

So, what to look for:

  • Executables with "CDB.Exe" as original file name, but not actual file name
  • Microsoft Console Debugger executions with -cf arguments
Also, you may focus on -pd -pn arguments as it enables adversary to run a shell command.

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!