T1127.001 Splunk · SPL

Detect MSBuild in Splunk

Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations. Adversaries can abuse MSBuild to proxy execution of malicious code via the inline task capability introduced in .NET 4, which allows C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. Because MSBuild.exe is a signed Microsoft binary, this technique can execute arbitrary code and bypass application control defenses configured to allow MSBuild.exe execution. Threat actors including PlugX malware and the Empire framework have used this technique to load shellcode and proxy malicious execution.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1127 Trusted Developer Utilities Proxy Execution
Sub-technique
T1127.001 MSBuild
Canonical reference
https://attack.mitre.org/techniques/T1127/001/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image=lower(Image), ParentImage=lower(ParentImage), CommandLine=lower(CommandLine)
| eval IsMSBuild=if(match(Image, "msbuild\.exe$"), 1, 0)
| eval MSBuildIsParent=if(match(ParentImage, "msbuild\.exe$"), 1, 0)
`comment("Branch 1: MSBuild as parent spawning suspicious child processes")`
| eval SuspiciousChild=if(MSBuildIsParent=1 AND match(Image, "(cmd\.exe|powershell\.exe|pwsh\.exe|net\.exe|net1\.exe|whoami\.exe|certutil\.exe|bitsadmin\.exe|regsvr32\.exe|rundll32\.exe|mshta\.exe|wscript\.exe|cscript\.exe|schtasks\.exe|reg\.exe|sc\.exe|curl\.exe|wget\.exe|nltest\.exe|ipconfig\.exe)$"), 1, 0)
`comment("Branch 2: MSBuild launched by suspicious parent process")`
| eval SuspiciousParent=if(IsMSBuild=1 AND match(ParentImage, "(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|explorer\.exe|outlook\.exe|winword\.exe|excel\.exe|powerpnt\.exe|rundll32\.exe|regsvr32\.exe|wmic\.exe)$"), 1, 0)
`comment("Branch 3: MSBuild loading project file from suspicious path")`
| eval SuspiciousProjectPath=if(IsMSBuild=1 AND match(CommandLine, "(\\\\temp\\\\|\\\\appdata\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\|\\\\windows\\\\tasks\\\\|\\\\downloads\\\\|\\\\desktop\\\\)"), 1, 0)
`comment("Branch 4: MSBuild with no meaningful project file argument")`
| eval NoProjectFile=if(IsMSBuild=1 AND (len(trim(CommandLine))=0 OR CommandLine="msbuild.exe"), 1, 0)
| eval RiskScore=case(
    SuspiciousChild=1, 90,
    SuspiciousParent=1, 80,
    SuspiciousProjectPath=1, 75,
    NoProjectFile=1, 60,
    true(), 0)
| eval DetectionBranch=case(
    SuspiciousChild=1, "MSBuild spawned suspicious child process",
    SuspiciousParent=1, "MSBuild launched by suspicious parent",
    SuspiciousProjectPath=1, "MSBuild project file in suspicious path",
    NoProjectFile=1, "MSBuild executed with no arguments",
    true(), "none")
| where RiskScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionBranch, RiskScore
| sort - RiskScore, - _time
high severity high confidence

Detects MSBuild.exe abuse for proxy execution using Sysmon Event ID 1 (Process Creation). Evaluates both MSBuild-as-child and MSBuild-as-parent scenarios: suspicious parent processes launching MSBuild indicate it may be used as a LOLBin execution proxy; MSBuild spawning reconnaissance or execution utilities indicates a successfully compiled and executed inline task payload. Risk scores prioritize alerts where code execution is confirmed (child process spawned) over those where context alone is suspicious.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legitimate software builds initiated from PowerShell or cmd.exe wrappers in CI/CD pipelines (Azure DevOps, GitHub Actions, Jenkins on Windows)
  • Visual Studio and .NET SDK tooling invoking MSBuild programmatically from non-standard parent contexts
  • Third-party installers that compile .NET components during software installation
  • Developer workstations where engineers run MSBuild from terminal emulators for testing
Download portable Sigma rule (.yml)

Other platforms for T1127.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1MSBuild Inline Task Execution via CodeTaskFactory

    Expected signal: Sysmon Event ID 1: MSBuild.exe process creation with CommandLine referencing the .csproj file in %TEMP%. Sysmon Event ID 1: cmd.exe spawned with ParentImage=MSBuild.exe executing 'whoami'. Sysmon Event ID 11: File creation for df00tech-msbuild-output.txt. Security Event ID 4688 (if command line auditing enabled) for both MSBuild.exe and cmd.exe.

  2. Test 2MSBuild Launched from PowerShell with Temp Path Project File

    Expected signal: Sysmon Event ID 1: powershell.exe process creation writing the project file. Sysmon Event ID 11: File creation for df00tech-ps-build.xml in %TEMP%. Sysmon Event ID 1: MSBuild.exe process creation with ParentImage=powershell.exe and CommandLine referencing .xml file in %TEMP%. Sysmon Event ID 11: File creation for df00tech-executed.txt confirming inline task execution.

  3. Test 3MSBuild with Unusual Project File Extension

    Expected signal: Sysmon Event ID 1: MSBuild.exe with CommandLine referencing a .txt file in %APPDATA%. Sysmon Event ID 11: File creation for df00tech-config.txt in %APPDATA%. Sysmon Event ID 11: File creation for df00tech-recon.txt in %TEMP% confirming successful inline task execution. Sysmon Event ID 12/13: Registry key access under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion.

  4. Test 4MSBuild RoslynCodeTaskFactory Inline Execution

    Expected signal: Sysmon Event ID 1: MSBuild.exe launched from Visual Studio or Framework path with CommandLine referencing .csproj in %TEMP%. Sysmon Event ID 7: Image Load events for Roslyn compiler DLLs (Microsoft.CodeAnalysis.CSharp.dll) loaded into MSBuild.exe process — this is a key differentiator for Roslyn-based attacks. Sysmon Event ID 11: File creation of df00tech-roslyn-executed.txt confirming successful execution.

Last updated: 2026-04-18 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1127.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1127Trusted Developer Utilities Proxy Execution

Related Sub-techniques

T1127.002ClickOnceT1127.003JamPlus

Related Techniques

T1127Trusted Developer Utilities Proxy ExecutionT1127.002ClickOnceT1059.001PowerShellT1059.003Windows Command ShellT1218System Binary Proxy ExecutionT1055Process InjectionT1027.009Embedded PayloadsT1036MasqueradingT1105Ingress Tool TransferT1562.001Disable or Modify Tools

Same Tactic: Defense Evasion

Popular Detections