EXPLORE

← Back to Explore

T1127.001

MSBuild

Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild) Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual B...

Windows

18

Detections

3

Sources

0

Threat Actors

BY SOURCE

13elastic4splunk_escu1sigma

PROCEDURES (13)

Network Connection Monitoring3 detections

Auto-extracted: 3 detections for network connection monitoring

Unusual2 detections

Auto-extracted: 2 detections for unusual

C22 detections

Auto-extracted: 2 detections for c2

Script Execution Monitoring2 detections

Auto-extracted: 2 detections for script execution monitoring

Wmi1 detections

Auto-extracted: 1 detections for wmi

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Module Load Monitoring1 detections

Auto-extracted: 1 detections for module load monitoring

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Wmi1 detections

Auto-extracted: 1 detections for wmi

Unusual1 detections

Auto-extracted: 1 detections for unusual

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Command Line Monitoring1 detections

Auto-extracted: 1 detections for command line monitoring

DETECTIONS (18)

Delayed Execution via Ping

Execution of Persistent Suspicious Program

Microsoft Build Engine Started an Unusual Process

Microsoft Build Engine Started by a Script Process

Microsoft Build Engine Started by a System Process

Microsoft Build Engine Started by an Office Application

Microsoft Build Engine Using an Alternate Name

MsBuild Making Network Connections

MSBuild Suspicious Spawned By Script Process

Network Activity to a Suspicious Top Level Domain

Potential Credential Access via Trusted Developer Utility

Process Injection by the Microsoft Build Engine

Silenttrinity Stager Msbuild Activity

Suspicious Execution from a Mounted Device

Suspicious msbuild path

Suspicious MSBuild Rename

Suspicious MSBuild Spawn

Unusual Network Activity from a Windows System Binary