2018-06-09 00:15:06 +02:00
---
2021-01-10 16:04:52 +01:00
Name : Msbuild.exe
2018-09-24 21:59:43 +02:00
Description : Used to compile and execute code
Author : 'Oddvar Moe'
2021-01-10 16:04:52 +01:00
Created : 2018-05-25
2018-06-09 00:15:06 +02:00
Commands :
- Command : msbuild.exe pshell.xml
Description : Build and execute a C# project stored in the target XML file.
2018-09-24 21:59:43 +02:00
Usecase : Compile and run code
2022-09-11 04:55:32 +02:00
Category : AWL Bypass
2018-09-24 21:59:43 +02:00
Privileges : User
2021-11-05 21:06:57 +01:00
MitreID : T1127.001
2021-12-14 16:50:17 +01:00
OperatingSystem : Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
2018-09-24 21:59:43 +02:00
- Command : msbuild.exe project.csproj
Description : Build and execute a C# project stored in the target csproj file.
Usecase : Compile and run code
Category : Execute
Privileges : User
2021-11-05 21:06:57 +01:00
MitreID : T1127.001
2021-12-14 16:50:17 +01:00
OperatingSystem : Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
2021-10-26 00:27:35 +02:00
- Command : msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,Foo
2022-05-05 12:12:22 +02:00
Description : Executes generated Logger DLL file with TargetLogger export
2021-10-26 00:17:08 +02:00
Usecase : Execute DLL
Category : Execute
Privileges : User
2021-11-05 21:06:57 +01:00
MitreID : T1127.001
2021-12-14 16:50:17 +01:00
OperatingSystem : Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
2021-09-27 05:31:30 +02:00
- Command : msbuild.exe project.proj
Description : Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+.
Usecase : Execute project file that contains XslTransformation tag parameters
Category : Execute
Privileges : User
2021-11-05 21:06:57 +01:00
MitreID : T1127.001
2021-12-14 16:50:17 +01:00
OperatingSystem : Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
2022-05-05 12:12:22 +02:00
- Command : msbuild.exe @sample.rsp
Description : By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret the options as if they were passed on the command line.
Usecase : Bypass command-line based detections
Category : Execute
Privileges : User
MitreID : T1036
OperatingSystem : Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
2018-12-10 14:28:12 +01:00
Full_Path :
2018-09-24 21:59:43 +02:00
- Path : C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
- Path : C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
- Path : C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
- Path : C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
- Path : C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
- Path : C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
2021-09-27 05:31:30 +02:00
- Path : C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe
2021-11-05 19:58:26 +01:00
Code_Sample :
2021-10-22 14:53:09 +02:00
- Code :
2018-09-24 21:59:43 +02:00
Detection :
2021-11-15 14:19:03 +01:00
- Sigma : https://github.com/SigmaHQ/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml
- Sigma : https://github.com/SigmaHQ/sigma/blob/5a3af872d86903c13e508348f54e3b519eb01dce/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml
- Splunk : https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_msbuild_spawn.yml
- Splunk : https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_msbuild_rename.yml
- Splunk : https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml
- Elastic : https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_msbuild_beacon_sequence.toml
- Elastic : https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_msbuild_making_network_connections.toml
- Elastic : https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
- Elastic : https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
- Elastic : https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
2021-12-14 16:50:17 +01:00
- BlockRule : https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
2021-11-15 14:19:03 +01:00
- IOC : Msbuild.exe should not normally be executed on workstations
2018-06-09 00:15:06 +02:00
Resources :
2018-09-24 21:59:43 +02:00
- Link : https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md
- Link : https://github.com/Cn33liz/MSBuildShell
- Link : https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/
- Link : https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
2021-09-27 05:31:30 +02:00
- Link : https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191
2021-10-26 00:17:08 +02:00
- Link : https://github.com/LOLBAS-Project/LOLBAS/issues/165
2022-05-05 12:12:22 +02:00
- Link : https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-response-files
2021-10-26 00:19:57 +02:00
- Link : https://www.daveaglick.com/posts/msbuild-loggers-and-logging-events
2018-09-24 21:59:43 +02:00
Acknowledgement :
- Person : Casey Smith
Handle : '@subtee'
- Person : Cn33liz
Handle : '@Cneelis'
2021-09-27 05:31:30 +02:00
- Person : Jimmy
Handle : '@bohops'