2020-06-17 12:55:46 -06:00
attack_technique : T1127.001
display_name: 'Trusted Developer Utilities Proxy Execution : MSBuild'
atomic_tests :
2021-01-20 16:26:45 -07:00
- name : MSBuild Bypass Using Inline Tasks (C#)
2020-06-17 12:55:46 -06:00
auto_generated_guid : 58742c0f-cb01-44cd-a60b-fb26e8871c93
description : |
2021-01-13 12:12:24 -07:00
Executes the code in a project file using msbuild.exe. The default C# project example file (T1127.001.csproj) will simply print "Hello From a Code Fragment" and "Hello From a Class." to the screen.
2020-06-17 12:55:46 -06:00
supported_platforms :
- windows
input_arguments :
filename :
description : Location of the project file
2023-02-13 17:10:37 -06:00
type : path
2020-06-17 12:55:46 -06:00
default : PathToAtomicsFolder\T1127.001\src\T1127.001.csproj
2021-01-05 16:34:35 -07:00
msbuildpath :
description : Default location of MSBuild
2023-02-13 17:10:37 -06:00
type : path
2021-01-05 16:34:35 -07:00
default : C:\Windows\Microsoft.NET\Framework\v4.0.30319
msbuildname :
description : Default name of MSBuild
2023-02-13 17:10:37 -06:00
type : path
2021-01-05 16:34:35 -07:00
default : msbuild.exe
2020-06-17 12:55:46 -06:00
dependency_executor_name : powershell
dependencies :
- description : |
Project file must exist on disk at specified location (#{filename})
prereq_command : |
2023-09-22 10:47:25 -06:00
if (Test-Path "#{filename}") {exit 0} else {exit 1}
2020-06-17 12:55:46 -06:00
get_prereq_command : |
2023-09-22 10:47:25 -06:00
New-Item -Type Directory (split-path "#{filename}") -ErrorAction ignore | Out-Null
2020-06-17 12:55:46 -06:00
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/T1127.001.csproj" -OutFile "#{filename}"
executor :
command : |
2023-09-22 10:47:25 -06:00
#{msbuildpath}\#{msbuildname} "#{filename}"
2020-06-17 12:55:46 -06:00
name : command_prompt
2021-01-20 16:26:45 -07:00
- name : MSBuild Bypass Using Inline Tasks (VB)
2021-01-20 23:27:23 +00:00
auto_generated_guid : ab042179-c0c5-402f-9bc8-42741f5ce359
2021-01-20 16:26:45 -07:00
description : |
Executes the code in a project file using msbuild.exe. The default Visual Basic example file (vb.xml) will simply print "Hello from a Visual Basic inline task!" to the screen.
supported_platforms :
- windows
input_arguments :
filename :
description : Location of the project file
2023-02-13 17:10:37 -06:00
type : path
2021-01-20 16:26:45 -07:00
default : PathToAtomicsFolder\T1127.001\src\vb.xml
msbuildpath :
description : Default location of MSBuild
2023-02-13 17:10:37 -06:00
type : path
2021-01-20 16:26:45 -07:00
default : C:\Windows\Microsoft.NET\Framework\v4.0.30319
msbuildname :
description : Default name of MSBuild
2023-02-13 17:10:37 -06:00
type : path
2021-01-20 16:26:45 -07:00
default : msbuild.exe
dependency_executor_name : powershell
dependencies :
- description : |
Project file must exist on disk at specified location (#{filename})
prereq_command : |
2023-09-22 10:47:25 -06:00
if (Test-Path "#{filename}") {exit 0} else {exit 1}
2021-01-20 16:26:45 -07:00
get_prereq_command : |
2023-09-22 10:47:25 -06:00
New-Item -Type Directory (split-path "#{filename}") -ErrorAction ignore | Out-Null
2021-01-20 16:26:45 -07:00
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/vb.xml" -OutFile "#{filename}"
executor :
command : |
2023-09-22 10:47:25 -06:00
#{msbuildpath}\#{msbuildname} "#{filename}"
2023-02-13 17:10:37 -06:00
name : command_prompt
