diff --git a/atomics/index.md b/atomics/index.md
index ae0d9cba..26ea4659 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -150,7 +150,8 @@
   - Atomic Test #1: Set a file's access timestamp
   - Atomic Test #2: Set a file's modification timestamp
   - Atomic Test #3: Set a file's creation timestamp
-- [T1127 Trusted Developer Utilities](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1127?t1127.md)
+- [T1127 Trusted Developer Utilities](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1127/t1127.md)
+  - Atomic Test #1: MSBuild Bypass Using Inline Tasks
 - [T1078 Valid Accounts](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1078?t1078.md)
 - [T1102 Web Service](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1102?t1102.md)
 
@@ -270,7 +271,8 @@
 - [T1151 Space after Filename](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1151?t1151.md)
 - [T1072 Third-party Software](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1072?t1072.md)
 - [T1154 Trap](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1154?t1154.md)
-- [T1127 Trusted Developer Utilities](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1127?t1127.md)
+- [T1127 Trusted Developer Utilities](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1127/t1127.md)
+  - Atomic Test #1: MSBuild Bypass Using Inline Tasks
 - [T1204 User Execution](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1204?t1204.md)
 - [T1047 Windows Management Instrumentation](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1047?t1047.md)
 - [T1028 Windows Remote Management](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1028?t1028.md)
diff --git a/atomics/matrix.md b/atomics/matrix.md
index ec14593a..4ac202f2 100644
--- a/atomics/matrix.md
+++ b/atomics/matrix.md
@@ -27,7 +27,7 @@
 |  | [Space after Filename](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1151?t1151.md) | [Launch Agent](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1159?t1159.md) | [Sudo](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1169?t1169.md) | [Image File Execution Options Injection](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1183?t1183.md) |  |  |  |  |  |  |
 |  | [Third-party Software](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1072?t1072.md) | [Launch Daemon](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1160?t1160.md) | [Sudo Caching](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1206?t1206.md) | [Indicator Blocking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1054?t1054.md) |  |  |  |  |  |  |
 |  | [Trap](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1154?t1154.md) | [Launchctl](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1152?t1152.md) | [Valid Accounts](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1078?t1078.md) | [Indicator Removal from Tools](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1066?t1066.md) |  |  |  |  |  |  |
-|  | [Trusted Developer Utilities](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1127?t1127.md) | [Local Job Scheduling](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1168?t1168.md) | [Web Shell](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1100?t1100.md) | [Indicator Removal on Host](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1070?t1070.md) |  |  |  |  |  |  |
+|  | [Trusted Developer Utilities](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1127/t1127.md) | [Local Job Scheduling](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1168?t1168.md) | [Web Shell](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1100?t1100.md) | [Indicator Removal on Host](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1070?t1070.md) |  |  |  |  |  |  |
 |  | [User Execution](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1204?t1204.md) | [Login Item](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1162?t1162.md) |  | [Indirect Command Execution](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1202?t1202.md) |  |  |  |  |  |  |
 |  | [Windows Management Instrumentation](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1047?t1047.md) | [Logon Scripts](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1037?t1037.md) |  | [Install Root Certificate](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1130/t1130.md) |  |  |  |  |  |  |
 |  | [Windows Remote Management](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1028?t1028.md) | [Modify Existing Service](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1031?t1031.md) |  | [InstallUtil](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1118?t1118.md) |  |  |  |  |  |  |
@@ -56,6 +56,6 @@
 |  |  | [Web Shell](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1100?t1100.md) |  | [Software Packing](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1045?t1045.md) |  |  |  |  |  |  |
 |  |  | [Windows Management Instrumentation Event Subscription](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1084?t1084.md) |  | [Space after Filename](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1151?t1151.md) |  |  |  |  |  |  |
 |  |  | [Winlogon Helper DLL](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1004?t1004.md) |  | [Timestomp](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1099/t1099.md) |  |  |  |  |  |  |
-|  |  |  |  | [Trusted Developer Utilities](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1127?t1127.md) |  |  |  |  |  |  |
+|  |  |  |  | [Trusted Developer Utilities](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1127/t1127.md) |  |  |  |  |  |  |
 |  |  |  |  | [Valid Accounts](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1078?t1078.md) |  |  |  |  |  |  |
 |  |  |  |  | [Web Service](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/t1102?t1102.md) |  |  |  |  |  |  |
diff --git a/atomics/t1127/t1127.md b/atomics/t1127/t1127.md
new file mode 100644
index 00000000..d3ae3820
--- /dev/null
+++ b/atomics/t1127/t1127.md
@@ -0,0 +1,80 @@
+# T1127 - Trusted Developer Utilities
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1127)
+<blockquote>There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application whitelisting defensive solutions.
+
+===MSBuild===
+
+MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It takes XML formatted project files that define requirements for building various platforms and configurations. (Citation: MSDN MSBuild) 
+
+Adversaries can use MSBuild to proxy execution of code through a trusted Windows utility. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into the XML project file. (Citation: MSDN MSBuild) Inline Tasks MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application whitelisting defenses that are configured to allow MSBuild.exe execution. (Citation: SubTee GitHub All The Things Application Whitelisting Bypass)
+
+===DNX===
+
+The .NET Execution Environment (DNX), dnx.exe, is a software development kit packaged with Visual Studio Enterprise. It was retired in favor of .NET Core CLI in 2016. (Citation: Microsoft Migrating from DNX) DNX is not present on standard builds of Windows and may only be present on developer workstations using older versions of .NET Core and ASP.NET Core 1.0. The dnx.exe executable is signed by Microsoft. 
+
+An adversary can use dnx.exe to proxy execution of arbitrary code to bypass application whitelist policies that do not account for DNX. (Citation: engima0x3 DNX Bypass)
+
+===RCSI===
+
+The rcsi.exe utility is a non-interactive command-line interface for C# that is similar to csi.exe. It was provided within an early version of the Roslyn .NET Compiler Platform but has since been deprecated for an integrated solution. (Citation: Microsoft Roslyn CPT RCSI) The rcsi.exe binary is signed by Microsoft. (Citation: engima0x3 RCSI Bypass)
+
+C# .csx script files can be written and executed with rcsi.exe at the command-line. An adversary can use rcsi.exe to proxy execution of arbitrary code to bypass application whitelisting policies that do not account for execution of rcsi.exe. (Citation: engima0x3 RCSI Bypass)
+
+===WinDbg/CDB===
+
+WinDbg is a Microsoft Windows kernel and user-mode debugging utility. The Microsoft Console Debugger (CDB) cdb.exe is also user-mode debugger. Both utilities are included in Windows software development kits and can be used as standalone tools. (Citation: Microsoft Debugging Tools for Windows) They are commonly used in software development and reverse engineering and may not be found on typical Windows systems. Both WinDbg.exe and cdb.exe binaries are signed by Microsoft.
+
+An adversary can use WinDbg.exe and cdb.exe to proxy execution of arbitrary code to bypass application whitelist policies that do not account for execution of those utilities. (Citation: Exploit Monday WinDbg)
+
+It is likely possible to use other debuggers for similar purposes, such as the kernel-mode debugger kd.exe, which is also signed by Microsoft.
+
+===Tracker===
+
+The file tracker utility, tracker.exe, is included with the .NET framework as part of MSBuild. It is used for logging calls to the Windows file system. (Citation: Microsoft Docs File Tracking)
+
+An adversary can use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions. (Citation: Twitter SubTee Tracker.exe)
+
+Detection: The presence of these or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.
+
+Use process monitoring to monitor the execution and arguments of MSBuild.exe, dnx.exe, rcsi.exe, WinDbg.exe, cdb.exe, and tracker.exe. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. It is likely that these utilities will be used by software developers or for other software development related tasks, so if it exists and is used outside of that context, then the event may be suspicious. Command arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.
+
+Platforms: Windows
+
+Data Sources: Process monitoring
+
+Defense Bypassed: Application whitelisting
+
+Permissions Required: User
+
+System Requirements: MSBuild: .NET Framework version 4 or higher
+DNX: .NET 4.5.2, Powershell 4.0
+RCSI: .NET 4.5 or later, Visual Studio 2012
+
+Remote Support: No
+
+Contributors: Casey Smith, Matthew Demaske, Adaptforward</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - MSBuild Bypass Using Inline Tasks](#atomic-test-1---msbuild-bypass-using-inline-tasks)
+
+
+<br/>
+
+## Atomic Test #1 - MSBuild Bypass Using Inline Tasks
+Executes the code in a project file using. C# Example
+
+**Supported Platforms:** windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|-------------------------------------------|
+    | filename | Location of the project file | Path | T1127.csproj|
+
+#### Run it with `command_prompt`!
+```
+C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe T1127.csproj
+
+```
+<br/>