T1127.001 IBM QRadar · QRadar

Detect MSBuild in IBM QRadar

Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations. Adversaries can abuse MSBuild to proxy execution of malicious code via the inline task capability introduced in .NET 4, which allows C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. Because MSBuild.exe is a signed Microsoft binary, this technique can execute arbitrary code and bypass application control defenses configured to allow MSBuild.exe execution. Threat actors including PlugX malware and the Empire framework have used this technique to load shellcode and proxy malicious execution.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1127 Trusted Developer Utilities Proxy Execution
Sub-technique
T1127.001 MSBuild
Canonical reference
https://attack.mitre.org/techniques/T1127/001/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "sourceip",
  QIDNAME(qid) AS event_name,
  "ProcessName",
  "ParentProcessName",
  "CommandLine",
  CASE
    WHEN LOWER("ParentProcessName") LIKE '%msbuild.exe' AND
         REGEXP_CONTAINS(LOWER("ProcessName"), '(cmd\.exe|powershell\.exe|pwsh\.exe|net\.exe|net1\.exe|whoami\.exe|certutil\.exe|bitsadmin\.exe|regsvr32\.exe|rundll32\.exe|mshta\.exe|wscript\.exe|cscript\.exe|schtasks\.exe|reg\.exe|sc\.exe|curl\.exe|wget\.exe|nltest\.exe|ipconfig\.exe)$')
    THEN 90
    WHEN LOWER("ProcessName") LIKE '%msbuild.exe' AND
         REGEXP_CONTAINS(LOWER("ParentProcessName"), '(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|explorer\.exe|outlook\.exe|winword\.exe|excel\.exe|powerpnt\.exe|rundll32\.exe|regsvr32\.exe|wmic\.exe)$')
    THEN 80
    WHEN LOWER("ProcessName") LIKE '%msbuild.exe' AND
         REGEXP_CONTAINS(LOWER("CommandLine"), '(\\\\temp\\\\|\\\\appdata\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\|\\\\windows\\\\tasks\\\\|\\\\downloads\\\\|\\\\desktop\\\\)')
    THEN 75
    WHEN LOWER("ProcessName") LIKE '%msbuild.exe' AND
         ("CommandLine" IS NULL OR LOWER(TRIM("CommandLine")) = 'msbuild.exe')
    THEN 60
    ELSE 0
  END AS risk_score,
  CASE
    WHEN LOWER("ParentProcessName") LIKE '%msbuild.exe' AND
         REGEXP_CONTAINS(LOWER("ProcessName"), '(cmd\.exe|powershell\.exe|pwsh\.exe|net\.exe|net1\.exe|whoami\.exe|certutil\.exe|bitsadmin\.exe|regsvr32\.exe|rundll32\.exe|mshta\.exe|wscript\.exe|cscript\.exe|schtasks\.exe|reg\.exe|sc\.exe|curl\.exe|wget\.exe|nltest\.exe|ipconfig\.exe)$')
    THEN 'MSBuild spawned suspicious child process'
    WHEN LOWER("ProcessName") LIKE '%msbuild.exe' AND
         REGEXP_CONTAINS(LOWER("ParentProcessName"), '(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|explorer\.exe|outlook\.exe|winword\.exe|excel\.exe|powerpnt\.exe|rundll32\.exe|regsvr32\.exe|wmic\.exe)$')
    THEN 'MSBuild launched by suspicious parent'
    WHEN LOWER("ProcessName") LIKE '%msbuild.exe' AND
         REGEXP_CONTAINS(LOWER("CommandLine"), '(\\\\temp\\\\|\\\\appdata\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\|\\\\windows\\\\tasks\\\\|\\\\downloads\\\\|\\\\desktop\\\\)')
    THEN 'MSBuild project file in suspicious path'
    WHEN LOWER("ProcessName") LIKE '%msbuild.exe' AND
         ("CommandLine" IS NULL OR LOWER(TRIM("CommandLine")) = 'msbuild.exe')
    THEN 'MSBuild executed with no arguments'
    ELSE 'none'
  END AS detection_branch
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 14, 15)  -- Windows Security, Sysmon, System, Application
  AND starttime > NOW() - 86400 SECONDS
  AND (
    (LOWER("ParentProcessName") LIKE '%msbuild.exe' AND "ProcessName" IS NOT NULL)
    OR
    LOWER("ProcessName") LIKE '%msbuild.exe'
  )
  AND (
    CASE
      WHEN LOWER("ParentProcessName") LIKE '%msbuild.exe' AND
           REGEXP_CONTAINS(LOWER("ProcessName"), '(cmd\.exe|powershell\.exe|pwsh\.exe|net\.exe|net1\.exe|whoami\.exe|certutil\.exe|bitsadmin\.exe|regsvr32\.exe|rundll32\.exe|mshta\.exe|wscript\.exe|cscript\.exe|schtasks\.exe|reg\.exe|sc\.exe|curl\.exe|wget\.exe|nltest\.exe|ipconfig\.exe)$')
      THEN TRUE
      WHEN LOWER("ProcessName") LIKE '%msbuild.exe' AND
           REGEXP_CONTAINS(LOWER("ParentProcessName"), '(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|explorer\.exe|outlook\.exe|winword\.exe|excel\.exe|powerpnt\.exe|rundll32\.exe|regsvr32\.exe|wmic\.exe)$')
      THEN TRUE
      WHEN LOWER("ProcessName") LIKE '%msbuild.exe' AND
           REGEXP_CONTAINS(LOWER("CommandLine"), '(\\\\temp\\\\|\\\\appdata\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\|\\\\windows\\\\tasks\\\\|\\\\downloads\\\\|\\\\desktop\\\\)')
      THEN TRUE
      WHEN LOWER("ProcessName") LIKE '%msbuild.exe' AND
           ("CommandLine" IS NULL OR LOWER(TRIM("CommandLine")) = 'msbuild.exe')
      THEN TRUE
      ELSE FALSE
    END
  )
ORDER BY risk_score DESC, starttime DESC
high severity medium confidence

QRadar AQL query detecting MSBuild.exe proxy execution abuse across four branches: suspicious child process spawning (risk 90), suspicious parent launching MSBuild (risk 80), project files loaded from temp/user-writable paths (risk 75), and MSBuild invoked without arguments (risk 60). Targets Windows Security and Sysmon log sources.

Data Sources

QRadar Windows Security Event Log DSMQRadar Microsoft Sysmon DSM

Required Tables

events

False Positives & Tuning

  • Developer workstations where MSBuild is invoked directly from PowerShell or cmd.exe during regular software development workflows
  • CI/CD agents that chain MSBuild invocations via scripts and produce post-build child processes like certutil or reg.exe for packaging
  • Software packaging tools (WiX Toolset, NuGet) that invoke MSBuild from explorer context menus or non-standard parent processes
Download portable Sigma rule (.yml)

Other platforms for T1127.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1MSBuild Inline Task Execution via CodeTaskFactory

    Expected signal: Sysmon Event ID 1: MSBuild.exe process creation with CommandLine referencing the .csproj file in %TEMP%. Sysmon Event ID 1: cmd.exe spawned with ParentImage=MSBuild.exe executing 'whoami'. Sysmon Event ID 11: File creation for df00tech-msbuild-output.txt. Security Event ID 4688 (if command line auditing enabled) for both MSBuild.exe and cmd.exe.

  2. Test 2MSBuild Launched from PowerShell with Temp Path Project File

    Expected signal: Sysmon Event ID 1: powershell.exe process creation writing the project file. Sysmon Event ID 11: File creation for df00tech-ps-build.xml in %TEMP%. Sysmon Event ID 1: MSBuild.exe process creation with ParentImage=powershell.exe and CommandLine referencing .xml file in %TEMP%. Sysmon Event ID 11: File creation for df00tech-executed.txt confirming inline task execution.

  3. Test 3MSBuild with Unusual Project File Extension

    Expected signal: Sysmon Event ID 1: MSBuild.exe with CommandLine referencing a .txt file in %APPDATA%. Sysmon Event ID 11: File creation for df00tech-config.txt in %APPDATA%. Sysmon Event ID 11: File creation for df00tech-recon.txt in %TEMP% confirming successful inline task execution. Sysmon Event ID 12/13: Registry key access under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion.

  4. Test 4MSBuild RoslynCodeTaskFactory Inline Execution

    Expected signal: Sysmon Event ID 1: MSBuild.exe launched from Visual Studio or Framework path with CommandLine referencing .csproj in %TEMP%. Sysmon Event ID 7: Image Load events for Roslyn compiler DLLs (Microsoft.CodeAnalysis.CSharp.dll) loaded into MSBuild.exe process — this is a key differentiator for Roslyn-based attacks. Sysmon Event ID 11: File creation of df00tech-roslyn-executed.txt confirming successful execution.

Last updated: 2026-04-18 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1127.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1127Trusted Developer Utilities Proxy Execution

Related Sub-techniques

T1127.002ClickOnceT1127.003JamPlus

Related Techniques

T1127Trusted Developer Utilities Proxy ExecutionT1127.002ClickOnceT1059.001PowerShellT1059.003Windows Command ShellT1218System Binary Proxy ExecutionT1055Process InjectionT1027.009Embedded PayloadsT1036MasqueradingT1105Ingress Tool TransferT1562.001Disable or Modify Tools

Same Tactic: Defense Evasion

Popular Detections