1. Home
  2. Techniques
  3. Enterprise
  4. Trusted Developer Utilities Proxy Execution
  5. MSBuild

Trusted Developer Utilities Proxy Execution: MSBuild

ID Name
T1127.001 MSBuild
T1127.002 ClickOnce
T1127.003 JamPlus

Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.[1]

Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file.[1][2] MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.[3]

ID: T1127.001
Sub-technique of:  T1127
Tactic: Defense Evasion
Platforms: Windows
Contributors: @ionstorm; Carrie Roberts, @OrOneEqualsOne
Version: 1.4
Created: 27 March 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0363 Empire

Empire can use built-in modules to abuse trusted utilities like MSBuild.exe.[4]
C0001 Frankenstein

During Frankenstein, the threat actors used MSbuild to execute an actor-created file.[5]
S0013 PlugX

A version of PlugX loads as shellcode within a .NET Framework project using msbuild.exe, presumably to bypass application control techniques.[6]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

MSBuild.exe may not be necessary within an environment and should be removed if not being used.
M1038 Execution Prevention

Use application control configured to block execution of msbuild.exe if it is not required for a given system or network to prevent potential misuse by adversaries. For example, in Windows 10 and Windows Server 2016 and above, Windows Defender Application Control (WDAC) policy rules may be applied to block the msbuild.exe application and to prevent abuse.[7]

Detection Strategy

ID Name Analytic ID Analytic Description
DET0556 Behavior-chain detection strategy for T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild (Windows) AN1535

MSBuild.exe is invoked outside expected developer/build contexts or with anomalous arguments (e.g., non-canonical paths, remote shares, Base64/obfuscated property values). Within a short window, it (a) spawns high-risk LOLBins/script interpreters, (b) writes new PE/DLL/script artifacts into user-writable paths and executes them, (c) loads unsigned/user-writable modules, (d) performs memory injection/thread creation into other processes, and/or (e) initiates outbound network connections.

References

  1. Microsoft. (n.d.). MSBuild1. Retrieved November 30, 2016.
  2. Microsoft. (2017, September 21). MSBuild inline tasks. Retrieved March 5, 2021.
  3. LOLBAS. (n.d.). Msbuild.exe. Retrieved July 31, 2019.
  4. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  1. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  2. Lancaster, T. and Idrizovic, E.. (2017, June 27). Paranoid PlugX. Retrieved July 13, 2017.
  3. Coulter, D. et al.. (2019, April 9). Microsoft recommended block rules. Retrieved August 12, 2021.