Detect MSBuild in Microsoft Sentinel
Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations. Adversaries can abuse MSBuild to proxy execution of malicious code via the inline task capability introduced in .NET 4, which allows C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. Because MSBuild.exe is a signed Microsoft binary, this technique can execute arbitrary code and bypass application control defenses configured to allow MSBuild.exe execution. Threat actors including PlugX malware and the Empire framework have used this technique to load shellcode and proxy malicious execution.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Sub-technique
- T1127.001 MSBuild
- Canonical reference
- https://attack.mitre.org/techniques/T1127/001/
KQL Detection Query
let SuspiciousParents = dynamic(["cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","mshta.exe","explorer.exe","outlook.exe","winword.exe","excel.exe","powerpnt.exe","rundll32.exe","regsvr32.exe","wmic.exe"]);
let SuspiciousChildProcesses = dynamic(["cmd.exe","powershell.exe","pwsh.exe","net.exe","net1.exe","whoami.exe","ipconfig.exe","nltest.exe","certutil.exe","bitsadmin.exe","regsvr32.exe","rundll32.exe","mshta.exe","wscript.exe","cscript.exe","schtasks.exe","at.exe","reg.exe","sc.exe","curl.exe","wget.exe"]);
let SuspiciousPaths = dynamic(["\\Temp\\","\\AppData\\Local\\","\\AppData\\Roaming\\","\\ProgramData\\","\\Users\\Public\\","\\Windows\\Tasks\\","\\Desktop\\","\\Downloads\\"]);
// Branch 1: MSBuild spawning suspicious child processes
let MSBuildChildProcs = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "MSBuild.exe"
| where FileName has_any (SuspiciousChildProcesses)
| extend DetectionBranch = "MSBuild spawned suspicious child process"
| extend RiskScore = 90;
// Branch 2: MSBuild executed from suspicious parent (non-build tooling)
let MSBuildSuspiciousParent = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "MSBuild.exe"
| where InitiatingProcessFileName has_any (SuspiciousParents)
| extend DetectionBranch = "MSBuild launched by suspicious parent"
| extend RiskScore = 80;
// Branch 3: MSBuild loading project files from suspicious paths
let MSBuildSuspiciousPaths = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "MSBuild.exe"
| where ProcessCommandLine has_any (SuspiciousPaths)
| extend DetectionBranch = "MSBuild project file in suspicious path"
| extend RiskScore = 75;
// Branch 4: MSBuild executed with no project file argument (inline exec via stdin or empty invocation)
let MSBuildNoArgs = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "MSBuild.exe"
| where isempty(ProcessCommandLine) or ProcessCommandLine =~ "MSBuild.exe"
| extend DetectionBranch = "MSBuild executed with no arguments"
| extend RiskScore = 60;
union MSBuildChildProcs, MSBuildSuspiciousParent, MSBuildSuspiciousPaths, MSBuildNoArgs
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessAccountName, FolderPath, DetectionBranch, RiskScore
| sort by RiskScore desc, Timestamp descDetects MSBuild.exe abuse for proxy execution using four detection branches: (1) MSBuild spawning suspicious child processes indicating successful code execution from an inline task; (2) MSBuild launched by non-build parent processes such as PowerShell, cmd.exe, or Office applications indicating exploitation context; (3) MSBuild loading project files from temporary or user-writable directories rather than source code repositories; (4) MSBuild executed with no arguments which is atypical for legitimate build operations. Risk scores are assigned per branch to help analysts prioritize alerts.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software builds initiated from PowerShell or cmd.exe wrappers in CI/CD pipelines (e.g., Azure DevOps agents, GitHub Actions runners, Jenkins agents running on Windows)
- Visual Studio extensions and IDE tooling that invoke MSBuild programmatically from non-standard parent contexts
- .NET SDK tooling (dotnet.exe) that shells out to MSBuild.exe during restore, build, or publish operations
- Developer workstations where engineers invoke MSBuild manually from terminals for testing build scripts in temp directories
- Third-party installers (e.g., Chocolatey packages, software installers) that compile .NET components during installation
Other platforms for T1127.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MSBuild Inline Task Execution via CodeTaskFactory
Expected signal: Sysmon Event ID 1: MSBuild.exe process creation with CommandLine referencing the .csproj file in %TEMP%. Sysmon Event ID 1: cmd.exe spawned with ParentImage=MSBuild.exe executing 'whoami'. Sysmon Event ID 11: File creation for df00tech-msbuild-output.txt. Security Event ID 4688 (if command line auditing enabled) for both MSBuild.exe and cmd.exe.
- Test 2MSBuild Launched from PowerShell with Temp Path Project File
Expected signal: Sysmon Event ID 1: powershell.exe process creation writing the project file. Sysmon Event ID 11: File creation for df00tech-ps-build.xml in %TEMP%. Sysmon Event ID 1: MSBuild.exe process creation with ParentImage=powershell.exe and CommandLine referencing .xml file in %TEMP%. Sysmon Event ID 11: File creation for df00tech-executed.txt confirming inline task execution.
- Test 3MSBuild with Unusual Project File Extension
Expected signal: Sysmon Event ID 1: MSBuild.exe with CommandLine referencing a .txt file in %APPDATA%. Sysmon Event ID 11: File creation for df00tech-config.txt in %APPDATA%. Sysmon Event ID 11: File creation for df00tech-recon.txt in %TEMP% confirming successful inline task execution. Sysmon Event ID 12/13: Registry key access under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion.
- Test 4MSBuild RoslynCodeTaskFactory Inline Execution
Expected signal: Sysmon Event ID 1: MSBuild.exe launched from Visual Studio or Framework path with CommandLine referencing .csproj in %TEMP%. Sysmon Event ID 7: Image Load events for Roslyn compiler DLLs (Microsoft.CodeAnalysis.CSharp.dll) loaded into MSBuild.exe process — this is a key differentiator for Roslyn-based attacks. Sysmon Event ID 11: File creation of df00tech-roslyn-executed.txt confirming successful execution.
References (9)
- https://attack.mitre.org/techniques/T1127/001/
- https://lolbas-project.github.io/lolbas/Binaries/Msbuild/
- https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-inline-tasks
- https://msdn.microsoft.com/library/dd393574.aspx
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_msbuild_susp_use.yml
- https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/
- https://blog.talosintelligence.com/lost-in-translation/
- https://www.sans.org/blog/application-whitelisting-bypass-using-msbuild-exe/
Unlock Pro Content
Get the full detection package for T1127.001 including response playbook, investigation guide, and atomic red team tests.