Jump to: navigation, search
ID T1127
Tactic Defense Evasion, Execution
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1
System Requirements .NET Framework version 4 or higher
Permissions Required User
Data Sources Process monitoring
Defense Bypassed Application whitelisting
Contributors Casey Smith

MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It takes XML formatted project files that define requirements for building various platforms and configurations.1

Adversaries can use MSBuild to proxy execution of code through a trusted Windows utility. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into the XML project file.2 MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application whitelisting defenses that are configured to allow MSBuild.exe execution.3


MSBuild.exe may not be necessary within a given environment and should be removed if not used. Use application whitelisting configured to block MSBuild.exe to prevent potential misuse by adversaries.345


Use process monitoring to monitor the execution and arguments of MSBuild.exe. Compare recent invocations of MSBuild.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. It is likely that MSBuild will be used by software developers, so if it exists and is used outside of that context, then the event may be suspicious. Command arguments used before and after the MSBuild.exe invocation may also be useful in determining the origin and purpose of the binary being executed.