2022-09-23 22:57:18 +00:00
# T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
2020-09-29 13:53:28 +00:00
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1127/001)
2025-02-13 22:03:40 +00:00
<blockquote>
2020-06-18 01:57:35 +00:00
2025-02-13 22:03:40 +00:00
Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild)
Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file.(Citation: MSDN MSBuild)(Citation: Microsoft MSBuild Inline Tasks 2017) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)
</blockquote>
2020-06-18 01:57:35 +00:00
## Atomic Tests
2021-01-20 23:27:31 +00:00
- [Atomic Test #1 - MSBuild Bypass Using Inline Tasks (C#) ](#atomic-test-1---msbuild-bypass-using-inline-tasks-c )
- [Atomic Test #2 - MSBuild Bypass Using Inline Tasks (VB) ](#atomic-test-2---msbuild-bypass-using-inline-tasks-vb )
2020-06-18 01:57:35 +00:00
<br/>
2021-01-20 23:27:31 +00:00
## Atomic Test #1 - MSBuild Bypass Using Inline Tasks (C#)
2021-06-24 15:16:54 +00:00
Executes the code in a project file using msbuild.exe. The default C# project example file (T1127.001.csproj) will simply print "Hello From a Code Fragment" and "Hello From a Class." to the screen.
2021-06-24 17:04:33 +00:00
2020-06-18 01:57:35 +00:00
**Supported Platforms: ** Windows
2021-06-24 17:04:33 +00:00
**auto_generated_guid: ** 58742c0f-cb01-44cd-a60b-fb26e8871c93
2020-06-18 01:57:35 +00:00
#### Inputs:
2021-06-24 15:16:54 +00:00
| Name | Description | Type | Default Value |
2020-06-18 01:57:35 +00:00
|------|-------------|------|---------------|
2023-02-13 23:11:19 +00:00
| filename | Location of the project file | path | PathToAtomicsFolder\ ;T1127.001\ ;src\ ;T1127.001.csproj|
| msbuildpath | Default location of MSBuild | path | C:\ ;Windows\ ;Microsoft.NET\ ;Framework\ ;v4.0.30319|
| msbuildname | Default name of MSBuild | path | msbuild.exe|
2020-06-18 01:57:35 +00:00
#### Attack Commands: Run with `command_prompt`!
``` cmd
2023-09-22 19:15:21 +00:00
#{msbuildpath}\#{msbuildname} " #{filename} "
2020-06-18 01:57:35 +00:00
```
#### Dependencies: Run with `powershell`!
##### Description: Project file must exist on disk at specified location (#{filename})
##### Check Prereq Commands:
``` powershell
2023-09-22 19:15:21 +00:00
if ( Test-Path " #{filename} " ) { exit 0 } else { exit 1 }
2020-06-18 01:57:35 +00:00
```
##### Get Prereq Commands:
``` powershell
2023-09-22 19:15:21 +00:00
New-Item -Type Directory ( split-path " #{filename} " ) -ErrorAction ignore | Out-Null
2020-06-18 01:57:35 +00:00
Invoke-WebRequest " https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/T1127.001.csproj " -OutFile " #{filename} "
```
2021-01-20 23:27:31 +00:00
<br/>
<br/>
## Atomic Test #2 - MSBuild Bypass Using Inline Tasks (VB)
2021-06-24 15:16:54 +00:00
Executes the code in a project file using msbuild.exe. The default Visual Basic example file (vb.xml) will simply print "Hello from a Visual Basic inline task!" to the screen.
2021-06-24 17:04:33 +00:00
2021-01-20 23:27:31 +00:00
**Supported Platforms: ** Windows
2021-06-24 17:04:33 +00:00
**auto_generated_guid: ** ab042179-c0c5-402f-9bc8-42741f5ce359
2021-01-20 23:27:31 +00:00
#### Inputs:
2021-06-24 15:16:54 +00:00
| Name | Description | Type | Default Value |
2021-01-20 23:27:31 +00:00
|------|-------------|------|---------------|
2023-02-13 23:11:19 +00:00
| filename | Location of the project file | path | PathToAtomicsFolder\ ;T1127.001\ ;src\ ;vb.xml|
| msbuildpath | Default location of MSBuild | path | C:\ ;Windows\ ;Microsoft.NET\ ;Framework\ ;v4.0.30319|
| msbuildname | Default name of MSBuild | path | msbuild.exe|
2021-01-20 23:27:31 +00:00
#### Attack Commands: Run with `command_prompt`!
``` cmd
2023-09-22 19:15:21 +00:00
#{msbuildpath}\#{msbuildname} " #{filename} "
2021-01-20 23:27:31 +00:00
```
#### Dependencies: Run with `powershell`!
##### Description: Project file must exist on disk at specified location (#{filename})
##### Check Prereq Commands:
``` powershell
2023-09-22 19:15:21 +00:00
if ( Test-Path " #{filename} " ) { exit 0 } else { exit 1 }
2021-01-20 23:27:31 +00:00
```
##### Get Prereq Commands:
``` powershell
2023-09-22 19:15:21 +00:00
New-Item -Type Directory ( split-path " #{filename} " ) -ErrorAction ignore | Out-Null
2021-01-20 23:27:31 +00:00
Invoke-WebRequest " https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/vb.xml " -OutFile " #{filename} "
```
2020-06-18 01:57:35 +00:00
<br/>
