.. /Msbuild.exe

Star

Paths:

• C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe
• C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe
• C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
• C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe
• C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
• C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe
• C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe

Resources:

• https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md
• https://github.com/Cn33liz/MSBuildShell
• https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/
• https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
• https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191
• https://github.com/LOLBAS-Project/LOLBAS/issues/165
• https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-response-files
• https://www.daveaglick.com/posts/msbuild-loggers-and-logging-events

Acknowledgements:

• Casey Smith (@subtee)
• Cn33liz (@Cneelis)
• Jimmy (@bohops)

Detections:

• Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml
• Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_msbuild_susp_parent_process.yml
• Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml
• Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_msbuild_spawn.yml
• Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_msbuild_rename.yml
• Splunk: https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml
• Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_msbuild_beacon_sequence.toml
• Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_msbuild_making_network_connections.toml
• Elastic: https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
• Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
• Elastic: https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
• BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
• IOC: Msbuild.exe should not normally be executed on workstations

AWL bypass

1. Build and execute a C# project stored in the target XML file.

   msbuild.exe pshell.xml

   Use case

   Compile and run code

   Privileges required

   User

   Operating systems

   Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

   ATT&CK® technique

   T1127.001

Execute

1. Build and execute a C# project stored in the target csproj file.

   msbuild.exe project.csproj

   Use case

   Compile and run code

   Privileges required

   User

   Operating systems

   Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

   ATT&CK® technique

   T1127.001

2. Executes generated Logger DLL file with TargetLogger export

   msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,Foo

   Use case

   Execute DLL

   Privileges required

   User

   Operating systems

   Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

   ATT&CK® technique

   T1127.001

   Tags

   Execute: DLL

   This LOLBAS executes Dynamic-Link Libraries (DLLs).

3. Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+.

   msbuild.exe project.proj

   Use case

   Execute project file that contains XslTransformation tag parameters

   Privileges required

   User

   Operating systems

   Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

   ATT&CK® technique

   T1127.001

   Tags

   Execute: WSH

   This LOLBAS executes scripts in Windows Script Host (WSH) languages, such as VBScript and JScript.

4. By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret the options as if they were passed on the command line.

   msbuild.exe @sample.rsp

   Use case

   Bypass command-line based detections

   Privileges required

   User

   Operating systems

   Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

   ATT&CK® technique

   T1036