216.73.217.22

T1127: T1127

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 05/05/2026 12:36

Essential information

MITRE technique ID
T1127
Confidence
100/100
Revoked
No
Published
16/12/2025 19:38
Modified
05/05/2026 12:36
Author / Source
The MITRE Corporation

Aliases

Trusted Developer Utilities Proxy Execution

Platforms

windows

Description

Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions. Smart App Control is a feature of Windows that blocks applications it considers potentially malicious from running by verifying unsigned applications against a known safe list from a Microsoft cloud service before executing them.(Citation: Microsoft Smart App Control) However, adversaries may leverage "reputation hijacking" to abuse an operating system’s trust of safe, signed applications that support the execution of arbitrary code. By leveraging [Trusted Developer Utilities Proxy Execution](https://attack.mitre.org/techniques/T1127) to run their malicious code, adversaries may bypass Smart App Control protections.(Citation: Elastic Security Labs)

Kill chain phases

Kill chainPhase
mitre-attack defense-evasion

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (26)

  • Transparent Tribe uses COPPER FIELDSTONEMythic Leopard
    The MITRE Corporation Confidence 100

    [Transparent Tribe](https://attack.mitre.org/groups/G0134) is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.(Citation: Proofpoint …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • POLONIUM uses Plaid Rain
    The MITRE Corporation Confidence 100

    [POLONIUM](https://attack.mitre.org/groups/G1005) is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • SideCopy uses
    The MITRE Corporation Confidence 100

    [SideCopy](https://attack.mitre.org/groups/G1008) is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. [SideCopy](https://attack.mitre.org/groups/G1008)'s name comes from its …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
  • LilacSquid uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 05:07 · Modified 21/12/2025 05:07
  • APT28 uses IRON TWILIGHTSNAKEMACKEREL
    The MITRE Corporation Confidence 100

    [APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 08/04/2026 13:02
  • Amatera Stealer uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 14:18 · Modified 21/12/2025 14:18
  • HEXANE uses LyceumSiamesekitten
    The MITRE Corporation Confidence 100

    [HEXANE](https://attack.mitre.org/groups/G1001) is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • Andariel uses Silent ChollimaPLUTONIUM
    The MITRE Corporation Confidence 100

    [Andariel](https://attack.mitre.org/groups/G0138) is a North Korean state-sponsored threat group that has been active since at least 2009. [Andariel](https://attack.mitre.org/groups/G0138) has primarily focused its operations--which have included destructive attacks--against South Korean …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • MUSTANG PANDA uses BRONZE PRESIDENTSTATELY TAURUS
    The MITRE Corporation Confidence 100

    [Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 22/05/2026 04:12
  • Magic Hound uses COBALT ILLUSIONITG18
    The MITRE Corporation Confidence 100

    [Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • UNC2565 uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 23:28 · Modified 20/12/2025 23:28
  • bluebottle uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 23:16 · Modified 20/12/2025 23:16
  • Crimson uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 00:01 · Modified 21/12/2025 00:01
  • Mallox uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 04:47 · Modified 21/12/2025 04:47
  • Makop uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 23:47 · Modified 20/12/2025 23:47
  • menuPass uses CicadaPOTASSIUM
    The MITRE Corporation Confidence 100

    [menuPass](https://attack.mitre.org/groups/G0045) is a threat group that has been active since at least 2006. Individual members of [menuPass](https://attack.mitre.org/groups/G0045) are known to have acted in association with the Chinese Ministry …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • CozyDuke uses IRON RITUALIRON HEMLOCK
    The MITRE Corporation Confidence 100

    [APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33
  • El Machete, SideWinder, Lyceum uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:34 · Modified 20/12/2025 19:34
  • Dark Pink uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 23:05 · Modified 20/12/2025 23:05
  • Grandoreiro uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 03:03 · Modified 21/12/2025 03:03
  • Cluster B uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 23:05 · Modified 20/12/2025 23:05
  • CloudWizard uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 00:45 · Modified 21/12/2025 00:45
  • OilRig uses COBALT GYPSYIRN2
    The MITRE Corporation Confidence 100

    [OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • Threat Group-3390 uses Earth SmilodonTG-3390
    The MITRE Corporation Confidence 100

    [Threat Group-3390](https://attack.mitre.org/groups/G0027) is a Chinese threat group that has extensively used strategic Web compromises to target victims.(Citation: Dell TG-3390) The group has been active since at least 2010 …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
  • GoldenJackal uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 00:36 · Modified 21/12/2025 00:36
  • IMPERIAL KITTEN uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 01:51 · Modified 21/12/2025 01:51

Malware (123)

  • HyperBro
  • Redline uses
    Family
    Published 08/05/2026 11:31 · Modified 08/05/2026 11:31
  • CryptoClippy
  • AllaKore RAT uses
    Family
    Published 21/08/2025 16:16 · Modified 21/08/2025 16:16
  • AsyncRAT uses
    Family
    Published 11/06/2026 16:31 · Modified 11/06/2026 16:31
  • Margulas
  • NetSupport uses
    Family
    Published 03/11/2025 14:28 · Modified 03/11/2025 14:28
  • Cucky
  • Dridex
  • GuLoader uses
    Family
    Published 19/09/2024 19:34 · Modified 19/09/2024 19:34
  • Trigona uses
    Family
    Published 01/05/2026 17:53 · Modified 01/05/2026 17:53
  • Mimilite
  • Scarab
  • CommonMagic
  • Metasploit uses
    Family
    Published 03/02/2026 08:21 · Modified 03/02/2026 08:21
  • PapaCreep
  • Akira uses
    Family
    Published 12/06/2026 16:57 · Modified 12/06/2026 16:57
  • zgRAT uses
    Family
    Published 21/08/2025 00:37 · Modified 21/08/2025 00:37
  • CreepySnail
  • Drokbk
  • Hannabi Grabber
  • PyInstaller uses
    Family
    Published 31/01/2025 10:09 · Modified 31/01/2025 10:09
  • PrCtrl
  • Chaos
  • Turla
  • ElizaRAT uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 01:11 · Modified 21/12/2025 01:11
  • Engima Stealer
  • LegionLoader uses
    Family
    Published 05/04/2025 07:55 · Modified 05/04/2025 07:55
  • El Machete
  • Stealerium uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:38 · Modified 20/12/2025 23:34
  • DeepCreep
  • Satacom uses
    Family
    Published 10/02/2025 13:54 · Modified 10/02/2025 13:54
  • HotRat
  • MASEPIE
  • FONELAUNCH
  • Lyceum
  • Ministealer
  • Phobos uses
    Family
    Published 30/09/2024 10:39 · Modified 30/09/2024 10:39
  • Quasar uses
    Family
    Published 24/02/2025 14:22 · Modified 24/02/2025 14:22
  • HYPERSCRAPE
  • SpaceColon
  • Hijackloader uses
    Family
    Published 10/06/2026 11:58 · Modified 10/06/2026 11:58
  • SquidLoader uses
    Family
    Published 21/07/2025 12:03 · Modified 21/07/2025 12:03
  • NOOPDOOR uses
    Family
    Published 27/11/2024 18:31 · Modified 27/11/2024 18:31
  • UPPERCUT
  • PureRAT uses
    Family
    Published 28/01/2026 17:20 · Modified 28/01/2026 17:20
  • Rhadamanthys uses
    Family
    Published 29/04/2026 02:24 · Modified 29/04/2026 02:24
  • Jupyter Stealer
  • NETWIRE
  • Nokoyawa
  • Ares
  • Havoc uses
    Family
    Published 08/06/2026 10:30 · Modified 08/06/2026 10:30
  • PXA uses
    Family
    Published 10/10/2025 20:35 · Modified 10/10/2025 20:35
  • Lorem Ipsum uses
    Family
    Published 04/05/2026 23:46 · Modified 04/05/2026 23:46
  • DUCKTAIL uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:35 · Modified 21/12/2025 01:43
  • Kinsing
  • Babyk uses
    Family
    Published 09/10/2025 20:09 · Modified 09/10/2025 20:09
  • CoinMiner uses
    Family
    Published 14/04/2026 08:54 · Modified 14/04/2026 08:54
  • Sliver uses
    Family
    Published 12/06/2026 21:29 · Modified 12/06/2026 21:29
  • DroxiDat
  • XWorm uses
    Family
    Published 27/03/2026 08:45 · Modified 27/03/2026 08:45
  • dotRunpeX
  • AllaKore uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:39 · Modified 21/12/2025 00:13
  • PureLogs uses
    Family
    Published 26/05/2026 15:20 · Modified 26/05/2026 15:20
  • DWservice
  • LockBit uses
    Family
    Published 06/05/2026 10:26 · Modified 06/05/2026 10:26
  • Mythic Poseidon
  • SORVEPOTEL uses
    Family
    Published 06/05/2026 19:35 · Modified 06/05/2026 19:35
  • Grandoreiro - S0531 uses
    Family
    Published 19/05/2026 22:26 · Modified 19/05/2026 22:26
  • MegaCreep
  • SysUpdate
  • Dark Pink
  • OCEANMAP
  • FlipCreep
  • Remcos - S0332 uses
    Family
    Published 31/01/2025 10:09 · Modified 31/01/2025 10:09
  • Agent Tesla uses
    Family
    Published 28/05/2024 13:32 · Modified 28/05/2024 13:32
  • Yashma uses
    Family
    Published 09/08/2024 11:19 · Modified 09/08/2024 11:19
  • CreepyDrive
  • Cobalt Strike uses
    Family
    Published 16/12/2024 14:25 · Modified 16/12/2024 14:25
  • Gopuram
  • SolarMarker uses
    Family
    Published 14/05/2024 13:06 · Modified 14/05/2024 13:06
  • CosmicBeetle
  • Gootloader uses
    Family
    Published 12/06/2026 21:29 · Modified 12/06/2026 21:29
  • PoshC2 uses
    Family
    Published 26/06/2025 17:27 · Modified 26/06/2025 17:27
  • Agent Racoon
  • Mallox uses
    Family
    Published 25/10/2024 20:49 · Modified 25/10/2024 20:49
  • Ntospy
  • DuckLogs
  • LimeRAT uses
    Family
    Published 26/08/2025 15:21 · Modified 26/08/2025 15:21
  • Polar
  • Crimson
  • SharpHound uses
    Family
    Published 16/01/2026 13:31 · Modified 16/01/2026 13:31
  • WarzoneRAT
  • Poseidon uses
    Family
    Published 01/08/2025 12:31 · Modified 01/08/2025 12:31
  • FinalDraft uses
    Family
    Published 05/05/2026 14:07 · Modified 05/05/2026 14:07
  • ROADSWEEP uses
    Family
    Published 20/09/2024 11:10 · Modified 20/09/2024 11:10
  • IMAPLoader
  • BlackBit
  • StandardKeyboard
  • ServHelper
  • AgentTesla uses
    Family
    Published 22/04/2026 07:06 · Modified 22/04/2026 07:06
  • Sidewinder
  • PowerMagic
  • Transparent Tribe
  • FormBook uses
    Family
    Published 22/04/2026 12:43 · Modified 22/04/2026 12:43
  • Minas
  • TechnoCreep
  • Xollam uses
    Family
    Published 14/05/2024 18:03 · Modified 14/05/2024 18:03
  • CAPI
  • CHIMNEYSWEEP
  • MeshAgent uses
    Family
    Published 02/09/2025 08:34 · Modified 02/09/2025 08:34
  • ParrotStealer uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 21:48 · Modified 20/12/2025 21:48
  • SYK
  • QuasarRAT uses
    Family
    Published 25/02/2026 11:35 · Modified 25/02/2026 11:35
  • STEELHOOK
  • NOOPLDR uses
    Family
    Published 07/10/2024 19:59 · Modified 07/10/2024 19:59
  • Capra
  • Golang
  • Amatera Stealer uses
    Family
    Published 09/03/2026 09:42 · Modified 09/03/2026 09:42
  • DarkTortilla
  • AstraLocker
  • FIN7
  • Army Knife

Reports (10)

Vulnerabilities (CVE) (7)

CVE-2021-45046 KEV

Apache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern …

Published
01/05/2023
Modified
20/12/2025
CVE-2015-2291 KEV
7.8 High

Intel ethernet diagnostics driver for Windows IQVW32.sys and IQVW64.sys contain an unspecified vulnerability that allows for a denial-of-service (DoS).

Attack vector
LOCAL
Complexity
LOW
Published
09/08/2017
Modified
22/04/2026
CVE-2021-44228 KEV
10.0 Critical

Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.

Attack vector
Network
Published
10/12/2021
Modified
27/05/2026
CVE-2019-0797 KEV

Microsoft Win32k contains a privilege escalation vulnerability when the Win32k component fails to properly handle objects in memory. Successful exploitation allows an …

Published
03/11/2021
Modified
29/05/2026
CVE-2017-11882 KEV
7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector
Local
Complexity
Low
Published
15/11/2017
Modified
29/05/2026
CVE-2019-0859 KEV

Microsoft Win32k fails to properly handle objects in memory causing privilege escalation. Successful exploitation allows an attacker to run code in kernel …

Published
03/11/2021
Modified
29/05/2026
CVE-2023-38831 KEV
7.8 High

RARLAB WinRAR contains an unspecified vulnerability that allows an attacker to execute code when a user attempts to view a benign file …

Attack vector
Local
Published
24/08/2023
Modified
27/05/2026

Attack patterns (MITRE) (3)

Course Of Action (3)

  • Execution Prevention mitigates
  • Disable or Remove Feature or Program mitigates
  • Restrict Web-Based Content mitigates