Trusted Developer Utilities Proxy Execution: MSBuild

Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.[1]

Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into an XML project file.[1] MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.[2]

ID: T1127.001
Sub-technique of:  T1127
Tactic: Defense Evasion
Platforms: Windows
System Requirements:  .NET Framework version 4 or higher
Data Sources: Process monitoring
Version: 1.0
Created: 27 March 2020
Last Modified: 08 June 2020

Procedure Examples

Name Description
Empire

Empire can use built-in modules to abuse trusted utilities like MSBuild.exe.[3]

Frankenstein

Frankenstein has used MSbuild to execute an actor-created file.[5]

PlugX

A version of PlugX loads as shellcode within a .NET Framework project using msbuild.exe, presumably to bypass application control techniques.[4]

Mitigations

Mitigation Description
Disable or Remove Feature or Program

MSBuild.exe may not be necessary within an environment and should be removed if not being used.

Detection

Use process monitoring to monitor the execution and arguments of MSBuild.exe. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.

References