Trusted Developer Utilities Proxy Execution: MSBuild

Created the Tuesday 07 March 2023. Updated 6 months, 1 week ago.

Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.

Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution

Technique Identifier

T1127.001

Technique Tags

Defense Evasion proxy execution of malicious code MSBuild.exe (Microsoft Build Engine) execute arbitrary code bypass application control defenses .NET Framework 4

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Trusted Developer Utilities Proxy Execution: MSBuild, Sub-technique T1127.001 - Enterprise | MITRE ATT&CK®