T1127.001 - MSBuild#
Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild)
Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file.(Citation: MSDN MSBuild)(Citation: Microsoft MSBuild Inline Tasks 2017) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)
Atomic Tests#
Atomic Test #1 - MSBuild Bypass Using Inline Tasks (C#)#
Executes the code in a project file using msbuild.exe. The default C# project example file (T1127.001.csproj) will simply print “Hello From a Code Fragment” and “Hello From a Class.” to the screen.
Supported Platforms: windows
Dependencies: Run with powershell!#
Description: Project file must exist on disk at specified location (#{filename})#
Check Prereq Commands:#
if (Test-Path "PathToAtomicsFolder\T1127.001\src\T1127.001.csproj") {exit 0} else {exit 1}
Get Prereq Commands:#
New-Item -Type Directory (split-path "PathToAtomicsFolder\T1127.001\src\T1127.001.csproj") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/T1127.001.csproj" -OutFile "PathToAtomicsFolder\T1127.001\src\T1127.001.csproj"
Invoke-AtomicTest T1127.001 -TestNumbers 1 -GetPreReqs
Attack Commands: Run with command_prompt#
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe "PathToAtomicsFolder\T1127.001\src\T1127.001.csproj"
Invoke-AtomicTest T1127.001 -TestNumbers 1
Atomic Test #2 - MSBuild Bypass Using Inline Tasks (VB)#
Executes the code in a project file using msbuild.exe. The default Visual Basic example file (vb.xml) will simply print “Hello from a Visual Basic inline task!” to the screen.
Supported Platforms: windows
Dependencies: Run with powershell!#
Description: Project file must exist on disk at specified location (#{filename})#
Check Prereq Commands:#
if (Test-Path "PathToAtomicsFolder\T1127.001\src\vb.xml") {exit 0} else {exit 1}
Get Prereq Commands:#
New-Item -Type Directory (split-path "PathToAtomicsFolder\T1127.001\src\vb.xml") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/vb.xml" -OutFile "PathToAtomicsFolder\T1127.001\src\vb.xml"
Invoke-AtomicTest T1127.001 -TestNumbers 2 -GetPreReqs
Attack Commands: Run with command_prompt#
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe "PathToAtomicsFolder\T1127.001\src\vb.xml"
Invoke-AtomicTest T1127.001 -TestNumbers 2
Detection#
Use process monitoring to monitor the execution and arguments of MSBuild.exe. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.