2022-05-10 20:43:59 +00:00
# T1127 - Trusted Developer Utilities Proxy Execution
2025-02-13 22:03:40 +00:00
2026-02-18 16:46:29 +00:00
## Description from ATT&CK
2025-02-13 22:03:40 +00:00
2026-02-18 16:55:45 +00:00
> Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.
>
> Smart App Control is a feature of Windows that blocks applications it considers potentially malicious from running by verifying unsigned applications against a known safe list from a Microsoft cloud service before executing them.(Citation: Microsoft Smart App Control) However, adversaries may leverage "reputation hijacking" to abuse an operating system’
2025-05-01 15:13:41 +00:00
2026-02-18 16:46:29 +00:00
[Source ](https://attack.mitre.org/techniques/T1127 )
2022-05-10 20:43:59 +00:00
## Atomic Tests
2026-02-18 16:46:29 +00:00
- [Atomic Test #1: Lolbin Jsc.exe compile javascript to exe ](#atomic-test-1-lolbin-jscexe-compile-javascript-to-exe )
- [Atomic Test #2: Lolbin Jsc.exe compile javascript to dll ](#atomic-test-2-lolbin-jscexe-compile-javascript-to-dll )
2022-05-10 20:43:59 +00:00
2026-02-18 16:46:29 +00:00
### Atomic Test #1: Lolbin Jsc.exe compile javascript to exe
2022-05-10 20:43:59 +00:00
Use jsc.exe to compile javascript code stored in scriptfile.js and output scriptfile.exe.
https://lolbas-project.github.io/lolbas/Binaries/Jsc/
https://www.phpied.com/make-your-javascript-a-windows-exe/
**Supported Platforms: ** Windows
2026-02-18 16:46:29 +00:00
**auto_generated_guid: ** `1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8`
2022-05-10 20:43:59 +00:00
2026-02-18 16:46:29 +00:00
#### Inputs
2022-05-10 20:43:59 +00:00
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
2023-02-13 23:11:19 +00:00
| filename | Location of the project file | path | PathToAtomicsFolder\ ;T1127\ ;src\ ;hello.js|
| jscpath | Default location of jsc.exe | path | C:\ ;Windows\ ;Microsoft.NET\ ;Framework\ ;v4.0.30319|
| jscname | Default name of jsc | path | jsc.exe|
2022-05-10 20:43:59 +00:00
2026-02-18 16:46:29 +00:00
#### Attack Commands: Run with `command_prompt`!
2022-05-10 20:43:59 +00:00
``` cmd
2023-09-22 19:15:21 +00:00
copy " #{filename} " %TEMP% \hello.js
2022-05-10 20:43:59 +00:00
#{jscpath}\#{jscname} %TEMP% \hello.js
```
2026-02-18 16:46:29 +00:00
#### Cleanup Commands
2022-05-10 20:43:59 +00:00
``` cmd
del %TEMP% \hello.js
del %TEMP% \hello.exe
```
2026-02-18 16:46:29 +00:00
#### Dependencies: Run with `powershell`!
2022-05-10 20:43:59 +00:00
##### Description: JavaScript code file must exist on disk at specified location (#{filename})
2026-02-18 16:46:29 +00:00
###### Check Prereq Commands
2022-05-10 20:43:59 +00:00
``` powershell
2023-09-22 19:15:21 +00:00
if ( Test-Path " #{filename} " ) { exit 0 } else { exit 1 }
2022-05-10 20:43:59 +00:00
```
2026-02-18 16:46:29 +00:00
###### Get Prereq Commands
2022-05-10 20:43:59 +00:00
``` powershell
2023-09-22 19:15:21 +00:00
New-Item -Type Directory ( split-path " #{filename} " ) -ErrorAction ignore | Out-Null
2022-05-10 20:43:59 +00:00
Invoke-WebRequest " https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/hello.js " -OutFile " #{filename} "
```
2026-02-18 16:46:29 +00:00
### Atomic Test #2: Lolbin Jsc.exe compile javascript to dll
2022-05-10 20:43:59 +00:00
Use jsc.exe to compile javascript code stored in Library.js and output Library.dll.
https://lolbas-project.github.io/lolbas/Binaries/Jsc/
https://www.phpied.com/make-your-javascript-a-windows-exe/
**Supported Platforms: ** Windows
2026-02-18 16:46:29 +00:00
**auto_generated_guid: ** `3fc9fea2-871d-414d-8ef6-02e85e322b80`
2022-05-10 20:43:59 +00:00
2026-02-18 16:46:29 +00:00
#### Inputs
2022-05-10 20:43:59 +00:00
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
2023-02-13 23:11:19 +00:00
| filename | Location of the project file | path | PathToAtomicsFolder\ ;T1127\ ;src\ ;LibHello.js|
| jscpath | Default location of jsc.exe | path | C:\ ;Windows\ ;Microsoft.NET\ ;Framework\ ;v4.0.30319|
| jscname | Default name of jsc | path | jsc.exe|
2022-05-10 20:43:59 +00:00
2026-02-18 16:46:29 +00:00
#### Attack Commands: Run with `command_prompt`!
2022-05-10 20:43:59 +00:00
``` cmd
2023-09-22 19:15:21 +00:00
copy " #{filename} " %TEMP% \LibHello.js
2022-05-10 20:43:59 +00:00
#{jscpath}\#{jscname} /t:library %TEMP% \LibHello.js
```
2026-02-18 16:46:29 +00:00
#### Cleanup Commands
2022-05-10 20:43:59 +00:00
``` cmd
del %TEMP% \LibHello.js
del %TEMP% \LibHello.dll
```
2026-02-18 16:46:29 +00:00
#### Dependencies: Run with `powershell`!
2022-05-10 20:43:59 +00:00
##### Description: JavaScript code file must exist on disk at specified location (#{filename})
2026-02-18 16:46:29 +00:00
###### Check Prereq Commands
2022-05-10 20:43:59 +00:00
``` powershell
2023-09-22 19:15:21 +00:00
if ( Test-Path " #{filename} " ) { exit 0 } else { exit 1 }
2022-05-10 20:43:59 +00:00
```
2026-02-18 16:46:29 +00:00
###### Get Prereq Commands
2022-05-10 20:43:59 +00:00
``` powershell
2023-09-22 19:15:21 +00:00
New-Item -Type Directory ( split-path " #{filename} " ) -ErrorAction ignore | Out-Null
2022-05-10 20:43:59 +00:00
Invoke-WebRequest " https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/LibHello.js " -OutFile " #{filename} "
```
