Technique on mitre.org

T1127.001: MSBuild

Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.

Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

process_chains_and_logons: PT-CR-1867: Suspicious_MSBuild_Process_Chain: Suspicious process start chain for MSBuild mitre_attck_defense_evasion: PT-CR-196: MSBuild_AWL_Bypass: An attempt to bypass application-start restrictions by using msbuild.exe (a .NET Framework utility used to compile and execute code) hacking_tools: PT-CR-2450: WMEye_Execution: Possible use of the WMEye utility for remote execution of arbitrary code and lateral movement. The WMEye utility creates a WMI event filter to write a payload to a file and execute the payload using the MSBuild.exe process. hacking_tools: PT-CR-2449: WMEye_Event_Filter_Creation: A WMI event filter is created, and the MSBuild.exe process is started be used to execute a payload written to a file using the created event filter. This may indicate the use of the WMEye utility, which allows lateral movement to other infrastructure hosts and remote execution of arbitrary code.

Detection

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor for newly executed processes of MSBuild.exe. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Trusted developer utilities such as MSBuild may be leveraged to run malicious code with elevated privileges. This analytic looks for any instances of msbuild.exe, which will execute any C# code placed within a given XML document; and msxsl.exe, which processes xsl transformation specifications for XML files and will execute a variaty of scripting languages contained within the XSL file. Both of these executables are rarely used outside of Visual Studio. Analytic 1 - MSBuild and msxsl `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688")(Image="C:\Program Files (x86)\Microsoft Visual Studio\\bin\MSBuild.exe" OR Image="C:\Windows\Microsoft.NET\Framework\msbuild.exe" OR Image="C:\users\\appdata\roaming\microsoft\msxsl.exe") ParentImage!="\Microsoft Visual Studio*")`

ID	Data source and component	Description
DS0017	Command: Command Execution	Monitor executed commands and arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.
DS0009	Process: Process Creation	Monitor for newly executed processes of MSBuild.exe. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Trusted developer utilities such as MSBuild may be leveraged to run malicious code with elevated privileges. This analytic looks for any instances of msbuild.exe, which will execute any C# code placed within a given XML document; and msxsl.exe, which processes xsl transformation specifications for XML files and will execute a variaty of scripting languages contained within the XSL file. Both of these executables are rarely used outside of Visual Studio. Analytic 1 - MSBuild and msxsl `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688")(Image="C:\Program Files (x86)\Microsoft Visual Studio\\bin\MSBuild.exe" OR Image="C:\Windows\Microsoft.NET\Framework\msbuild.exe" OR Image="C:\users\\appdata\roaming\microsoft\msxsl.exe") ParentImage!="\Microsoft Visual Studio*")`

Mitigation

ID	M1042	Name	Disable or Remove Feature or Program	Description	MSBuild.exe may not be necessary within an environment and should be removed if not being used.

ID	M1038	Name	Execution Prevention	Description	Use application control configured to block execution of `msbuild.exe` if it is not required for a given system or network to prevent potential misuse by adversaries. For example, in Windows 10 and Windows Server 2016 and above, Windows Defender Application Control (WDAC) policy rules may be applied to block the `msbuild.exe` application and to prevent abuse.

ID	Name	Description
M1042	Disable or Remove Feature or Program	MSBuild.exe may not be necessary within an environment and should be removed if not being used.
M1038	Execution Prevention	Use application control configured to block execution of `msbuild.exe` if it is not required for a given system or network to prevent potential misuse by adversaries. For example, in Windows 10 and Windows Server 2016 and above, Windows Defender Application Control (WDAC) policy rules may be applied to block the `msbuild.exe` application and to prevent abuse.