T1127.001 MSBuild Mappings

Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild)

Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into an XML project file.(Citation: MSDN MSBuild) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
CM-2 Baseline Configuration Protects T1127.001 MSBuild
CM-6 Configuration Settings Protects T1127.001 MSBuild
CM-8 System Component Inventory Protects T1127.001 MSBuild
RA-5 Vulnerability Monitoring and Scanning Protects T1127.001 MSBuild
SI-4 System Monitoring Protects T1127.001 MSBuild
azure_sentinel Azure Sentinel technique_scores T1127.001 MSBuild