- Tactics
- stealth , Execution
- Platforms
- Windows
- Reference
- attack.mitre.org/techniques/T1127.001
Description
Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild)
Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file.(Citation: MSDN MSBuild)(Citation: Microsoft MSBuild Inline Tasks 2017) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the stealth, Execution tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1006 — Direct Volume Access
- T1014 — Rootkit
- T1027 — Obfuscated Files or Information
- T1036 — Masquerading
- T1047 — Windows Management Instrumentation
- T1053 — Scheduled Task/Job
- T1055 — Process Injection
- T1059 — Command and Scripting Interpreter
- T1070 — Indicator Removal
- T1072 — Software Deployment Tools
- T1078 — Valid Accounts
- T1106 — Native API