📓
Red Team Notes
  • Introduction
  • Red Team Notes 2.0
  • Red Team
  • Initial Access
    • Spear Phishing Links
      • HTA Files
      • Binaries
      • PDF Files
      • SET(Social-Engineering Toolkit)
    • Spear Phishing Attachments
      • Macros
      • Dynamic Data Exchange
      • SCR Files
      • LNK Files
    • (+) Links and Attachments
  • Execution
    • Component Object Model and Distributed COM
    • MSHTA
    • PowerShell
    • Rundll32
    • Scheduled Tasks
    • Scripting
    • Trusted Developer Utilities
      • MSBuild
      • Regsvr32
    • Windows Remote Management
    • Windows Management Instrumentation (WMI)
  • Persistence
    • Scheduled Tasks
    • Create Account
    • DLL Search Order Hijacking
    • Hooking
    • Logon Scripts
    • Modify Existing Service
    • New Service
    • Path Interception
    • Registry Keys / StartUp Folder
    • ShortCut Modification
  • Privesc
    • Access Token Manipulation
    • DLL Search Order Hijacking
    • Exploitation for Privesc
    • File System Permissions Weakness
    • Always Install Elevated
  • Defense Evasion
  • Credential Access
    • Credential Dumping
    • Kerberoasting
    • LLMNR/NBT-NS Poisoning and Relay
  • Discovery
  • Lateral Movement
    • Pass the Ticket
    • Pass the Hash
    • Remote Desktops
    • Internal Spearphishing
    • Windows Admin Shares
    • Component Object Model and Distributed COM
    • Windows Remote Management
  • Collection
  • Command and Control
  • Exfiltration
  • Impact
  • Active Directory
    • Introduction
      • Kerberos
      • LDAP
    • Enumeration
    • Attacks
      • Unconstrained Delegation
      • Constrained Delegation
      • DCSync
      • Kerberoasting
      • Silver Tickets
      • Golden Tickets
  • Detection
    • Detection
    • Initial Access
    • Execution
      • MSHTA (Detection)
  • Resources & References
    • References & Resources
Powered by GitBook
On this page

Was this helpful?

  1. Execution
  2. Trusted Developer Utilities

MSBuild

A trusted Windows signed binary.

PreviousTrusted Developer UtilitiesNextRegsvr32

Last updated 5 years ago

Was this helpful?

Let's get some examples here we can add powershell code onto an XML file have msbuild compile it and execute to call a shell back to us this will automate the process to leverage the MSBuild technique to input a powershell payload into an inline-task XML file that can be launched.

I continued with the use of this tool for creating shell's using msbuild and converting the file into an XML format perfect use for MSBuild.

Let's copy this onto our victim machine

We can see that we saved the z.xml file onto the machine (This name can be whatever) . From here we will need to move onto the MSBuild directory and load the executable

Let's use MSBuild to execute our XML File

We can also execute csproj files as MSBuild compiles these as well.

This tool uses techniques that are already published as stated on the README This script will generate payloads for basic intrusion detection avoidance. It utilizes publicly demonstrated techniques from several different sources.

Logomgeeky’s gistsGist
z.xml
MSBuild Path