Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild)
Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into an XML project file.(Citation: MSDN MSBuild) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-2 | Baseline Configuration | Protects | T1127.001 | MSBuild | |
| CM-6 | Configuration Settings | Protects | T1127.001 | MSBuild | |
| CM-8 | System Component Inventory | Protects | T1127.001 | MSBuild | |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1127.001 | MSBuild | |
| SI-4 | System Monitoring | Protects | T1127.001 | MSBuild |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_sentinel | Azure Sentinel | technique_scores | T1127.001 | MSBuild |
Comments
The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect the use of Empire, which can use abuse trusted utilities including MSBuild.exe, but does not address other procedures.
References
|