LOLBAS/yml/OSBinaries/Msbuild.yml

86 lines
5.2 KiB
YAML
Raw Normal View History

2018-06-09 00:15:06 +02:00
---
Name: Msbuild.exe
Description: Used to compile and execute code
Author: 'Oddvar Moe'
Created: 2018-05-25
2018-06-09 00:15:06 +02:00
Commands:
- Command: msbuild.exe pshell.xml
Description: Build and execute a C# project stored in the target XML file.
Usecase: Compile and run code
Category: AWL Bypass
Privileges: User
MitreID: T1127.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Command: msbuild.exe project.csproj
Description: Build and execute a C# project stored in the target csproj file.
Usecase: Compile and run code
Category: Execute
Privileges: User
MitreID: T1127.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
2021-10-26 00:27:35 +02:00
- Command: msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,Foo
2022-05-05 12:12:22 +02:00
Description: Executes generated Logger DLL file with TargetLogger export
2021-10-26 00:17:08 +02:00
Usecase: Execute DLL
Category: Execute
Privileges: User
MitreID: T1127.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: DLL
- Command: msbuild.exe project.proj
Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+.
Usecase: Execute project file that contains XslTransformation tag parameters
Category: Execute
Privileges: User
MitreID: T1127.001
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Tags:
- Execute: WSH
2022-05-05 12:12:22 +02:00
- Command: msbuild.exe @sample.rsp
Description: By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret the options as if they were passed on the command line.
Usecase: Bypass command-line based detections
Category: Execute
Privileges: User
MitreID: T1036
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Full_Path:
- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
- Path: C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
- Path: C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe
2021-11-05 19:58:26 +01:00
Code_Sample:
- Code:
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml
- Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_msbuild_spawn.yml
- Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_msbuild_rename.yml
- Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_msbuild_beacon_sequence.toml
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_msbuild_making_network_connections.toml
- Elastic: https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
- Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- IOC: Msbuild.exe should not normally be executed on workstations
2018-06-09 00:15:06 +02:00
Resources:
- Link: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md
- Link: https://github.com/Cn33liz/MSBuildShell
- Link: https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/
- Link: https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
- Link: https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191
2021-10-26 00:17:08 +02:00
- Link: https://github.com/LOLBAS-Project/LOLBAS/issues/165
2022-05-05 12:12:22 +02:00
- Link: https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-response-files
2021-10-26 00:19:57 +02:00
- Link: https://www.daveaglick.com/posts/msbuild-loggers-and-logging-events
Acknowledgement:
- Person: Casey Smith
Handle: '@subtee'
- Person: Cn33liz
Handle: '@Cneelis'
- Person: Jimmy
Handle: '@bohops'