T1127.001 CrowdStrike LogScale · LogScale

Detect MSBuild in CrowdStrike LogScale

Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations. Adversaries can abuse MSBuild to proxy execution of malicious code via the inline task capability introduced in .NET 4, which allows C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. Because MSBuild.exe is a signed Microsoft binary, this technique can execute arbitrary code and bypass application control defenses configured to allow MSBuild.exe execution. Threat actors including PlugX malware and the Empire framework have used this technique to load shellcode and proxy malicious execution.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1127 Trusted Developer Utilities Proxy Execution
Sub-technique
T1127.001 MSBuild
Canonical reference
https://attack.mitre.org/techniques/T1127/001/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// T1127.001 — MSBuild Proxy Execution Detection
// Branch 1: MSBuild spawning suspicious child processes (RiskScore 90)
#repo=base_sensor
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)^msbuild\.exe$/
| FileName = /(?i)^(cmd\.exe|powershell\.exe|pwsh\.exe|net\.exe|net1\.exe|whoami\.exe|ipconfig\.exe|nltest\.exe|certutil\.exe|bitsadmin\.exe|regsvr32\.exe|rundll32\.exe|mshta\.exe|wscript\.exe|cscript\.exe|schtasks\.exe|at\.exe|reg\.exe|sc\.exe|curl\.exe|wget\.exe)$/
| RiskScore := 90
| DetectionBranch := "MSBuild spawned suspicious child process"

| union (
  // Branch 2: MSBuild launched by suspicious parent (RiskScore 80)
  #repo=base_sensor
  #event_simpleName=ProcessRollup2
  | FileName = /(?i)^msbuild\.exe$/
  | ParentBaseFileName = /(?i)^(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|explorer\.exe|outlook\.exe|winword\.exe|excel\.exe|powerpnt\.exe|rundll32\.exe|regsvr32\.exe|wmic\.exe)$/
  | RiskScore := 80
  | DetectionBranch := "MSBuild launched by suspicious parent"
)

| union (
  // Branch 3: MSBuild loading project file from suspicious path (RiskScore 75)
  #repo=base_sensor
  #event_simpleName=ProcessRollup2
  | FileName = /(?i)^msbuild\.exe$/
  | CommandLine = /(?i)(\\temp\\|\\appdata\\local\\|\\appdata\\roaming\\|\\programdata\\|\\users\\public\\|\\windows\\tasks\\|\\desktop\\|\\downloads\\)/
  | RiskScore := 75
  | DetectionBranch := "MSBuild project file in suspicious path"
)

| union (
  // Branch 4: MSBuild executed with no arguments (RiskScore 60)
  #repo=base_sensor
  #event_simpleName=ProcessRollup2
  | FileName = /(?i)^msbuild\.exe$/
  | CommandLine = /(?i)^msbuild\.exe\s*$/
  | RiskScore := 60
  | DetectionBranch := "MSBuild executed with no arguments"
)

| select([@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, TargetProcessId, RiskScore, DetectionBranch])
| sort(RiskScore, order=desc)
high severity high confidence

CrowdStrike LogScale CQL query detecting MSBuild.exe proxy execution abuse (T1127.001) using Falcon ProcessRollup2 telemetry. Uses union branches to cover: MSBuild spawning known reconnaissance or execution tools (risk 90), MSBuild launched from non-build parent processes (risk 80), MSBuild referencing project files from user-writable directories (risk 75), and MSBuild run without project file arguments (risk 60).

Data Sources

CrowdStrike Falcon Sensor ProcessRollup2 eventsCrowdStrike Falcon base_sensor repository

Required Tables

ProcessRollup2

False Positives & Tuning

  • Software developers running MSBuild directly from PowerShell or cmd.exe terminals on development endpoints enrolled in the Falcon sensor fleet
  • DevOps build agents (e.g., GitHub Actions self-hosted runners, Jenkins executors) that chain MSBuild with post-build child processes such as certutil for code signing or reg.exe for COM registration
  • MSBuild invoked by package manager tooling (vcpkg, Chocolatey) that writes temporary project files to AppData or Temp directories as part of normal package compilation
Download portable Sigma rule (.yml)

Other platforms for T1127.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1MSBuild Inline Task Execution via CodeTaskFactory

    Expected signal: Sysmon Event ID 1: MSBuild.exe process creation with CommandLine referencing the .csproj file in %TEMP%. Sysmon Event ID 1: cmd.exe spawned with ParentImage=MSBuild.exe executing 'whoami'. Sysmon Event ID 11: File creation for df00tech-msbuild-output.txt. Security Event ID 4688 (if command line auditing enabled) for both MSBuild.exe and cmd.exe.

  2. Test 2MSBuild Launched from PowerShell with Temp Path Project File

    Expected signal: Sysmon Event ID 1: powershell.exe process creation writing the project file. Sysmon Event ID 11: File creation for df00tech-ps-build.xml in %TEMP%. Sysmon Event ID 1: MSBuild.exe process creation with ParentImage=powershell.exe and CommandLine referencing .xml file in %TEMP%. Sysmon Event ID 11: File creation for df00tech-executed.txt confirming inline task execution.

  3. Test 3MSBuild with Unusual Project File Extension

    Expected signal: Sysmon Event ID 1: MSBuild.exe with CommandLine referencing a .txt file in %APPDATA%. Sysmon Event ID 11: File creation for df00tech-config.txt in %APPDATA%. Sysmon Event ID 11: File creation for df00tech-recon.txt in %TEMP% confirming successful inline task execution. Sysmon Event ID 12/13: Registry key access under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion.

  4. Test 4MSBuild RoslynCodeTaskFactory Inline Execution

    Expected signal: Sysmon Event ID 1: MSBuild.exe launched from Visual Studio or Framework path with CommandLine referencing .csproj in %TEMP%. Sysmon Event ID 7: Image Load events for Roslyn compiler DLLs (Microsoft.CodeAnalysis.CSharp.dll) loaded into MSBuild.exe process — this is a key differentiator for Roslyn-based attacks. Sysmon Event ID 11: File creation of df00tech-roslyn-executed.txt confirming successful execution.

Last updated: 2026-04-18 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1127.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1127Trusted Developer Utilities Proxy Execution

Related Sub-techniques

T1127.002ClickOnceT1127.003JamPlus

Related Techniques

T1127Trusted Developer Utilities Proxy ExecutionT1127.002ClickOnceT1059.001PowerShellT1059.003Windows Command ShellT1218System Binary Proxy ExecutionT1055Process InjectionT1027.009Embedded PayloadsT1036MasqueradingT1105Ingress Tool TransferT1562.001Disable or Modify Tools

Same Tactic: Defense Evasion

Popular Detections