T1127.001 Google Chronicle · YARA-L

Detect MSBuild in Google Chronicle

Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations. Adversaries can abuse MSBuild to proxy execution of malicious code via the inline task capability introduced in .NET 4, which allows C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. Because MSBuild.exe is a signed Microsoft binary, this technique can execute arbitrary code and bypass application control defenses configured to allow MSBuild.exe execution. Threat actors including PlugX malware and the Empire framework have used this technique to load shellcode and proxy malicious execution.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1127 Trusted Developer Utilities Proxy Execution
Sub-technique
T1127.001 MSBuild
Canonical reference
https://attack.mitre.org/techniques/T1127/001/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule msbuild_proxy_execution_t1127_001 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects MSBuild.exe abuse for proxy execution of malicious code via inline task capability (T1127.001). Covers suspicious child process spawning, suspicious parent ancestry, project files in writable paths, and no-argument invocations."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1127.001"
    reference = "https://attack.mitre.org/techniques/T1127/001/"
    created = "2026-04-18"

  events:
    (
      /* Branch 1: MSBuild spawning suspicious child processes */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.principal.process.file.full_path, `(?i)msbuild\.exe$`)
        and re.regex($e.target.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|net\.exe|net1\.exe|whoami\.exe|ipconfig\.exe|nltest\.exe|certutil\.exe|bitsadmin\.exe|regsvr32\.exe|rundll32\.exe|mshta\.exe|wscript\.exe|cscript\.exe|schtasks\.exe|at\.exe|reg\.exe|sc\.exe|curl\.exe|wget\.exe)$`)
      )
      or
      /* Branch 2: MSBuild launched by suspicious parent */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.target.process.file.full_path, `(?i)msbuild\.exe$`)
        and re.regex($e.principal.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|explorer\.exe|outlook\.exe|winword\.exe|excel\.exe|powerpnt\.exe|rundll32\.exe|regsvr32\.exe|wmic\.exe)$`)
      )
      or
      /* Branch 3: MSBuild loading project file from suspicious path */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.target.process.file.full_path, `(?i)msbuild\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(\\temp\\|\\appdata\\local\\|\\appdata\\roaming\\|\\programdata\\|\\users\\public\\|\\windows\\tasks\\|\\desktop\\|\\downloads\\)`)
      )
      or
      /* Branch 4: MSBuild with no meaningful arguments */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.target.process.file.full_path, `(?i)msbuild\.exe$`)
        and (
          not $e.target.process.command_line != ""
          or re.regex($e.target.process.command_line, `(?i)^msbuild\.exe\s*$`)
        )
      )
    )

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting MSBuild.exe proxy execution abuse (T1127.001) using UDM process launch events. Covers all four behavioral branches: MSBuild spawning known post-exploitation child processes, MSBuild launched from non-build-tooling parents, MSBuild referencing project files in user-writable or temp directories, and MSBuild with no project file arguments.

Data Sources

Google Chronicle UDM via Windows ForwardingChronicle Ingestion API with Sysmon parserGoogle Chronicle with CrowdStrike Falcon parser

Required Tables

UDM PROCESS_LAUNCH events

False Positives & Tuning

  • Enterprise developer workstations where developers regularly invoke MSBuild directly from PowerShell or cmd.exe terminals during active coding sessions
  • Automated deployment systems such as Octopus Deploy or TeamCity agents that execute MSBuild as a build step and subsequently call child tools like reg.exe or sc.exe for service registration
  • Visual Studio project templates or extension installers that spawn MSBuild from explorer.exe or winword.exe during document macro execution via legitimate Office integration scenarios
Download portable Sigma rule (.yml)

Other platforms for T1127.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1MSBuild Inline Task Execution via CodeTaskFactory

    Expected signal: Sysmon Event ID 1: MSBuild.exe process creation with CommandLine referencing the .csproj file in %TEMP%. Sysmon Event ID 1: cmd.exe spawned with ParentImage=MSBuild.exe executing 'whoami'. Sysmon Event ID 11: File creation for df00tech-msbuild-output.txt. Security Event ID 4688 (if command line auditing enabled) for both MSBuild.exe and cmd.exe.

  2. Test 2MSBuild Launched from PowerShell with Temp Path Project File

    Expected signal: Sysmon Event ID 1: powershell.exe process creation writing the project file. Sysmon Event ID 11: File creation for df00tech-ps-build.xml in %TEMP%. Sysmon Event ID 1: MSBuild.exe process creation with ParentImage=powershell.exe and CommandLine referencing .xml file in %TEMP%. Sysmon Event ID 11: File creation for df00tech-executed.txt confirming inline task execution.

  3. Test 3MSBuild with Unusual Project File Extension

    Expected signal: Sysmon Event ID 1: MSBuild.exe with CommandLine referencing a .txt file in %APPDATA%. Sysmon Event ID 11: File creation for df00tech-config.txt in %APPDATA%. Sysmon Event ID 11: File creation for df00tech-recon.txt in %TEMP% confirming successful inline task execution. Sysmon Event ID 12/13: Registry key access under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion.

  4. Test 4MSBuild RoslynCodeTaskFactory Inline Execution

    Expected signal: Sysmon Event ID 1: MSBuild.exe launched from Visual Studio or Framework path with CommandLine referencing .csproj in %TEMP%. Sysmon Event ID 7: Image Load events for Roslyn compiler DLLs (Microsoft.CodeAnalysis.CSharp.dll) loaded into MSBuild.exe process — this is a key differentiator for Roslyn-based attacks. Sysmon Event ID 11: File creation of df00tech-roslyn-executed.txt confirming successful execution.

Last updated: 2026-04-18 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1127.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1127Trusted Developer Utilities Proxy Execution

Related Sub-techniques

T1127.002ClickOnceT1127.003JamPlus

Related Techniques

T1127Trusted Developer Utilities Proxy ExecutionT1127.002ClickOnceT1059.001PowerShellT1059.003Windows Command ShellT1218System Binary Proxy ExecutionT1055Process InjectionT1027.009Embedded PayloadsT1036MasqueradingT1105Ingress Tool TransferT1562.001Disable or Modify Tools

Same Tactic: Defense Evasion

Popular Detections