Detect MSBuild in Elastic Security
Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations. Adversaries can abuse MSBuild to proxy execution of malicious code via the inline task capability introduced in .NET 4, which allows C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. Because MSBuild.exe is a signed Microsoft binary, this technique can execute arbitrary code and bypass application control defenses configured to allow MSBuild.exe execution. Threat actors including PlugX malware and the Empire framework have used this technique to load shellcode and proxy malicious execution.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Sub-technique
- T1127.001 MSBuild
- Canonical reference
- https://attack.mitre.org/techniques/T1127/001/
Elastic Detection Query
sequence by host.id with maxspan=5m
[
process where event.type == "start" and
(
/* Branch 2: MSBuild launched by suspicious parent */
(process.name : "MSBuild.exe" and
process.parent.name : ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","mshta.exe","explorer.exe","outlook.exe","winword.exe","excel.exe","powerpnt.exe","rundll32.exe","regsvr32.exe","wmic.exe"))
or
/* Branch 3: MSBuild loading project file from suspicious path */
(process.name : "MSBuild.exe" and
process.args : ("*\\Temp\\*","*\\AppData\\Local\\*","*\\AppData\\Roaming\\*","*\\ProgramData\\*","*\\Users\\Public\\*","*\\Windows\\Tasks\\*","*\\Desktop\\*","*\\Downloads\\*"))
or
/* Branch 4: MSBuild with no arguments */
(process.name : "MSBuild.exe" and
(process.args_count == 0 or process.command_line : "MSBuild.exe"))
)
]
/* Standalone Branch 1: MSBuild spawning suspicious child processes */
pipe
process where event.type == "start" and
process.parent.name : "MSBuild.exe" and
process.name : ("cmd.exe","powershell.exe","pwsh.exe","net.exe","net1.exe","whoami.exe","ipconfig.exe","nltest.exe","certutil.exe","bitsadmin.exe","regsvr32.exe","rundll32.exe","mshta.exe","wscript.exe","cscript.exe","schtasks.exe","at.exe","reg.exe","sc.exe","curl.exe","wget.exe")Detects MSBuild.exe abuse for proxy execution of malicious code (T1127.001) across four detection branches: MSBuild spawning suspicious child processes (RiskScore 90), MSBuild launched by non-build-tooling parents (RiskScore 80), MSBuild loading project files from suspicious filesystem paths (RiskScore 75), and MSBuild executed with no meaningful arguments (RiskScore 60).
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software developers invoking MSBuild.exe from command prompts or PowerShell during active development or CI/CD pipelines
- MSBuild triggered by Visual Studio or development IDEs that launch cmd.exe or PowerShell as part of post-build events or test runners
- Automated build systems (Jenkins, Azure DevOps agents, TeamCity) that run MSBuild from scripts and may spawn post-build tools like certutil for signing
Other platforms for T1127.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MSBuild Inline Task Execution via CodeTaskFactory
Expected signal: Sysmon Event ID 1: MSBuild.exe process creation with CommandLine referencing the .csproj file in %TEMP%. Sysmon Event ID 1: cmd.exe spawned with ParentImage=MSBuild.exe executing 'whoami'. Sysmon Event ID 11: File creation for df00tech-msbuild-output.txt. Security Event ID 4688 (if command line auditing enabled) for both MSBuild.exe and cmd.exe.
- Test 2MSBuild Launched from PowerShell with Temp Path Project File
Expected signal: Sysmon Event ID 1: powershell.exe process creation writing the project file. Sysmon Event ID 11: File creation for df00tech-ps-build.xml in %TEMP%. Sysmon Event ID 1: MSBuild.exe process creation with ParentImage=powershell.exe and CommandLine referencing .xml file in %TEMP%. Sysmon Event ID 11: File creation for df00tech-executed.txt confirming inline task execution.
- Test 3MSBuild with Unusual Project File Extension
Expected signal: Sysmon Event ID 1: MSBuild.exe with CommandLine referencing a .txt file in %APPDATA%. Sysmon Event ID 11: File creation for df00tech-config.txt in %APPDATA%. Sysmon Event ID 11: File creation for df00tech-recon.txt in %TEMP% confirming successful inline task execution. Sysmon Event ID 12/13: Registry key access under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion.
- Test 4MSBuild RoslynCodeTaskFactory Inline Execution
Expected signal: Sysmon Event ID 1: MSBuild.exe launched from Visual Studio or Framework path with CommandLine referencing .csproj in %TEMP%. Sysmon Event ID 7: Image Load events for Roslyn compiler DLLs (Microsoft.CodeAnalysis.CSharp.dll) loaded into MSBuild.exe process — this is a key differentiator for Roslyn-based attacks. Sysmon Event ID 11: File creation of df00tech-roslyn-executed.txt confirming successful execution.
References (9)
- https://attack.mitre.org/techniques/T1127/001/
- https://lolbas-project.github.io/lolbas/Binaries/Msbuild/
- https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-inline-tasks
- https://msdn.microsoft.com/library/dd393574.aspx
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msbuild_susp_use.yml
- https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/
- https://blog.talosintelligence.com/lost-in-translation/
- https://www.sans.org/blog/application-whitelisting-bypass-using-msbuild-exe/
Unlock Pro Content
Get the full detection package for T1127.001 including response playbook, investigation guide, and atomic red team tests.