Description
Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild)
Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file.(Citation: MSDN MSBuild)(Citation: Microsoft MSBuild Inline Tasks 2017) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)
Platforms
Mitigations (2)
Disable or Remove Feature or ProgramM1042
MSBuild.exe may not be necessary within an environment and should be removed if not being used.
Execution PreventionM1038
Use application control configured to block execution of msbuild.exe if it is not required for a given system or network to prevent potential misuse by adversaries. For example, in Windows 10 and Windows Server 2016 and above, Windows Defender Application Control (WDAC) policy rules may be applied to block the msbuild.exe application and to prevent abuse.(Citation: Micros
Associated Software (3)
| ID | Name | Type | Context |
|---|---|---|---|
| S9025 | NOOPLDR | Malware | [NOOPLDR](https://attack.mitre.org/software/S9025) can be executed via MSBuild.(Citation: JPCERT MirrorFace JUL 2024) |
| S0013 | PlugX | Malware | A version of [PlugX](https://attack.mitre.org/software/S0013) loads as shellcode within a .NET Framework project using msbuild.exe, presumably to bypa... |
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) can use built-in modules to abuse trusted utilities like MSBuild.exe.(Citation: Github PowerShell Em... |
References
- LOLBAS. (n.d.). Msbuild.exe. Retrieved July 31, 2019.
- Microsoft. (2017, September 21). MSBuild inline tasks. Retrieved March 5, 2021.
- Microsoft. (n.d.). MSBuild1. Retrieved November 30, 2016.
Frequently Asked Questions
What is T1127.001 (MSBuild)?
T1127.001 is a MITRE ATT&CK technique named 'MSBuild'. It belongs to the Stealth, Execution tactic(s). Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML format...
How can T1127.001 be detected?
Detection of T1127.001 (MSBuild) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1127.001?
There are 2 documented mitigations for T1127.001. Key mitigations include: Disable or Remove Feature or Program, Execution Prevention.
Which threat groups use T1127.001?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.