MSBuild

Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.

Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into an XML project file. MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.

Example

In this Demo MSBuild is a proper tool for executing code specially C# inserted in an XML project file. MSBuild will compile and execute the inline task.

By searching the Binary in its path or using the Developer Command Prompt we can execute the payload by passing the full path as a parameter in this demo the payload is on the target machine for demonstration purposes, the utility is proxy aware so a payload can be called from a remote host.

We see the execution and lets verify a shell

We view from Process Explorer that MSBuild is a child process and being called

But from Procmon we also see the files it calls and the Connections that are being made

One of the good things of MSBuild is that it cleans after the connection is closed.

This is good for OPSEC but still be aware that a file still is created and touches Disk, TEMP file but still some forensic evidence.

Demo

PreviousT1127: Trusted Developer Utilities Proxy Execution NextT1221: Template Injection

Last updated 3 years ago