Analytics Story: Trusted Developer Utilities Proxy Execution

Description

Monitor and detect behaviors used by attackers who leverage trusted developer utilities to execute malicious code.

Why it matters

Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions. The searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging microsoft.workflow.compiler.exe to execute malicious code.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Suspicious microsoft workflow compiler rename Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities Hunting
Suspicious microsoft workflow compiler usage Trusted Developer Utilities Proxy Execution TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References


Source: GitHub | Version: 1