# T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1127/001)
Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild)
Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file.(Citation: MSDN MSBuild)(Citation: Microsoft MSBuild Inline Tasks 2017) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)
## Atomic Tests
- [Atomic Test #1 - MSBuild Bypass Using Inline Tasks (C#)](#atomic-test-1---msbuild-bypass-using-inline-tasks-c)
- [Atomic Test #2 - MSBuild Bypass Using Inline Tasks (VB)](#atomic-test-2---msbuild-bypass-using-inline-tasks-vb)
## Atomic Test #1 - MSBuild Bypass Using Inline Tasks (C#)
Executes the code in a project file using msbuild.exe. The default C# project example file (T1127.001.csproj) will simply print "Hello From a Code Fragment" and "Hello From a Class." to the screen.
**Supported Platforms:** Windows
**auto_generated_guid:** 58742c0f-cb01-44cd-a60b-fb26e8871c93
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| filename | Location of the project file | path | PathToAtomicsFolder\T1127.001\src\T1127.001.csproj|
| msbuildpath | Default location of MSBuild | path | C:\Windows\Microsoft.NET\Framework\v4.0.30319|
| msbuildname | Default name of MSBuild | path | msbuild.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
#{msbuildpath}\#{msbuildname} "#{filename}"
```
#### Dependencies: Run with `powershell`!
##### Description: Project file must exist on disk at specified location (#{filename})
##### Check Prereq Commands:
```powershell
if (Test-Path "#{filename}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path "#{filename}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/T1127.001.csproj" -OutFile "#{filename}"
```
## Atomic Test #2 - MSBuild Bypass Using Inline Tasks (VB)
Executes the code in a project file using msbuild.exe. The default Visual Basic example file (vb.xml) will simply print "Hello from a Visual Basic inline task!" to the screen.
**Supported Platforms:** Windows
**auto_generated_guid:** ab042179-c0c5-402f-9bc8-42741f5ce359
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| filename | Location of the project file | path | PathToAtomicsFolder\T1127.001\src\vb.xml|
| msbuildpath | Default location of MSBuild | path | C:\Windows\Microsoft.NET\Framework\v4.0.30319|
| msbuildname | Default name of MSBuild | path | msbuild.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
#{msbuildpath}\#{msbuildname} "#{filename}"
```
#### Dependencies: Run with `powershell`!
##### Description: Project file must exist on disk at specified location (#{filename})
##### Check Prereq Commands:
```powershell
if (Test-Path "#{filename}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path "#{filename}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/vb.xml" -OutFile "#{filename}"
```