atomic-red-team/atomics/T1127/T1127.md

# T1127 - Trusted Developer Utilities Proxy Execution
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1127)
<blockquote>Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.</blockquote>

## Atomic Tests

- [Atomic Test #1 - Lolbin Jsc.exe compile javascript to exe](#atomic-test-1---lolbin-jscexe-compile-javascript-to-exe)

- [Atomic Test #2 - Lolbin Jsc.exe compile javascript to dll](#atomic-test-2---lolbin-jscexe-compile-javascript-to-dll)


<br/>

## Atomic Test #1 - Lolbin Jsc.exe compile javascript to exe
Use jsc.exe to compile javascript code stored in scriptfile.js and output scriptfile.exe.
https://lolbas-project.github.io/lolbas/Binaries/Jsc/
https://www.phpied.com/make-your-javascript-a-windows-exe/

**Supported Platforms:** Windows


**auto_generated_guid:** 1ec1c269-d6bd-49e7-b71b-a461f7fa7bc8





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| filename | Location of the project file | path | PathToAtomicsFolder&#92;T1127&#92;src&#92;hello.js|
| jscpath | Default location of jsc.exe | path | C:&#92;Windows&#92;Microsoft.NET&#92;Framework&#92;v4.0.30319|
| jscname | Default name of jsc | path | jsc.exe|


#### Attack Commands: Run with `command_prompt`! 


```cmd
copy "#{filename}" %TEMP%\hello.js
#{jscpath}\#{jscname} %TEMP%\hello.js
```

#### Cleanup Commands:
```cmd
del %TEMP%\hello.js
del %TEMP%\hello.exe
```



#### Dependencies:  Run with `powershell`!
##### Description: JavaScript code file must exist on disk at specified location (#{filename})
##### Check Prereq Commands:
```powershell
if (Test-Path "#{filename}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path "#{filename}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/hello.js" -OutFile "#{filename}"
```




<br/>
<br/>

## Atomic Test #2 - Lolbin Jsc.exe compile javascript to dll
Use jsc.exe to compile javascript code stored in Library.js and output Library.dll.
https://lolbas-project.github.io/lolbas/Binaries/Jsc/
https://www.phpied.com/make-your-javascript-a-windows-exe/

**Supported Platforms:** Windows


**auto_generated_guid:** 3fc9fea2-871d-414d-8ef6-02e85e322b80





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| filename | Location of the project file | path | PathToAtomicsFolder&#92;T1127&#92;src&#92;LibHello.js|
| jscpath | Default location of jsc.exe | path | C:&#92;Windows&#92;Microsoft.NET&#92;Framework&#92;v4.0.30319|
| jscname | Default name of jsc | path | jsc.exe|


#### Attack Commands: Run with `command_prompt`! 


```cmd
copy "#{filename}" %TEMP%\LibHello.js
#{jscpath}\#{jscname} /t:library %TEMP%\LibHello.js
```

#### Cleanup Commands:
```cmd
del %TEMP%\LibHello.js
del %TEMP%\LibHello.dll
```



#### Dependencies:  Run with `powershell`!
##### Description: JavaScript code file must exist on disk at specified location (#{filename})
##### Check Prereq Commands:
```powershell
if (Test-Path "#{filename}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path "#{filename}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127/src/LibHello.js" -OutFile "#{filename}"
```




<br/>