MITRE ATT&CK LAB

MITRE ATT&CK

Various tests involving methods outlined within the MITRE ATT&CK framework

MITRE ATT&CK™ Analysis - T1127.001 MSBuild

less than 1 minute read

Trusted Developer Utilities Proxy Execution

By usiung legitimate development tools we’re able to compile and execute malicious code which may otherwise have been blocked by application whitelisting or AV solutions.

Trusted Developer Utilities Proxy Execution Analysis

Lab Example

RED TEAM: ATTACK

Below we use @subTee’s MSBuild method to spawn calc from the trusted developer utility MSBuild using an XML file. This can be detected using sysmon 1 events which display MSBuild as the parent process (although this can easily be bypassed with a renamed executable). As such you should keep an eye on executables with a similar command line to another file. The end result is that we can use trusted developer utilities such as MSBuild to bypass application whitelisting and AV detections.

T1127 - Trusted Developer Utilities Proxy Execution 1

BLUE TEAM: DEFEND

In addition to the above this activity leaves behind temporary files used to create the executable being launched which can be seen in Sysmon 11 events.

T1127 - Trusted Developer Utilities Proxy Execution 2

You may also enjoy

ClearFake - Malware Analysis Lab

26 minute read

Analysis of ClearFake malware which is planted on compromised WordPress websites to convince unsuspecting visitors to download and run malware.

LummaC2 - Malware Analysis Lab

30 minute read

Analysis of a RAR file which leads to the discovery of malicious Github repositories designed to distribute malware.