T1127.001 Sumo Logic CSE · Sumo

Detect MSBuild in Sumo Logic CSE

Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations. Adversaries can abuse MSBuild to proxy execution of malicious code via the inline task capability introduced in .NET 4, which allows C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. Because MSBuild.exe is a signed Microsoft binary, this technique can execute arbitrary code and bypass application control defenses configured to allow MSBuild.exe execution. Threat actors including PlugX malware and the Empire framework have used this technique to load shellcode and proxy malicious execution.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1127 Trusted Developer Utilities Proxy Execution
Sub-technique
T1127.001 MSBuild
Canonical reference
https://attack.mitre.org/techniques/T1127/001/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*winevent*
| where _raw matches /(?i)msbuild\.exe/
| parse regex field=_raw "(?i)<Image>(?<Image>[^<]+)</Image>" nodrop
| parse regex field=_raw "(?i)<ParentImage>(?<ParentImage>[^<]+)</ParentImage>" nodrop
| parse regex field=_raw "(?i)<CommandLine>(?<CommandLine>[^<]+)</CommandLine>" nodrop
| parse regex field=_raw "(?i)<User>(?<User>[^<]+)</User>" nodrop
| parse regex field=_raw "(?i)<Computer>(?<Computer>[^<]+)</Computer>" nodrop
| parse regex field=_raw "(?i)<ParentCommandLine>(?<ParentCommandLine>[^<]+)</ParentCommandLine>" nodrop
| eval Image = toLowerCase(Image)
| eval ParentImage = toLowerCase(ParentImage)
| eval CommandLine = toLowerCase(CommandLine)
| eval IsMSBuild = if(matches(Image, ".*msbuild\\.exe$"), 1, 0)
| eval MSBuildIsParent = if(matches(ParentImage, ".*msbuild\\.exe$"), 1, 0)
| eval SuspiciousChild = if(
    MSBuildIsParent == 1 AND matches(Image, ".*(cmd\\.exe|powershell\\.exe|pwsh\\.exe|net\\.exe|net1\\.exe|whoami\\.exe|certutil\\.exe|bitsadmin\\.exe|regsvr32\\.exe|rundll32\\.exe|mshta\\.exe|wscript\\.exe|cscript\\.exe|schtasks\\.exe|reg\\.exe|sc\\.exe|curl\\.exe|wget\\.exe|nltest\\.exe|ipconfig\\.exe)$"),
    1, 0)
| eval SuspiciousParent = if(
    IsMSBuild == 1 AND matches(ParentImage, ".*(cmd\\.exe|powershell\\.exe|pwsh\\.exe|wscript\\.exe|cscript\\.exe|mshta\\.exe|explorer\\.exe|outlook\\.exe|winword\\.exe|excel\\.exe|powerpnt\\.exe|rundll32\\.exe|regsvr32\\.exe|wmic\\.exe)$"),
    1, 0)
| eval SuspiciousProjectPath = if(
    IsMSBuild == 1 AND matches(CommandLine, ".*(\\\\temp\\\\|\\\\appdata\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\|\\\\windows\\\\tasks\\\\|\\\\downloads\\\\|\\\\desktop\\\\).*"),
    1, 0)
| eval NoProjectFile = if(
    IsMSBuild == 1 AND (isNull(CommandLine) OR trim(CommandLine) == "" OR CommandLine == "msbuild.exe"),
    1, 0)
| eval RiskScore = if(SuspiciousChild == 1, 90,
    if(SuspiciousParent == 1, 80,
    if(SuspiciousProjectPath == 1, 75,
    if(NoProjectFile == 1, 60, 0))))
| eval DetectionBranch = if(SuspiciousChild == 1, "MSBuild spawned suspicious child process",
    if(SuspiciousParent == 1, "MSBuild launched by suspicious parent",
    if(SuspiciousProjectPath == 1, "MSBuild project file in suspicious path",
    if(NoProjectFile == 1, "MSBuild executed with no arguments", "none"))))
| where RiskScore > 0
| fields _messagetime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionBranch, RiskScore
| sort by RiskScore, _messagetime
high severity medium confidence

Sumo Logic query detecting MSBuild.exe proxy execution abuse (T1127.001) by parsing Sysmon or Windows Event Log data for four behavioral branches: child process spawning, suspicious parent ancestry, project files loaded from user-writable paths, and no-argument invocations. Uses Sumo Logic CSE field parsing from raw XML event data.

Data Sources

Sumo Logic Windows Event Log SourceSumo Logic Sysmon Source via Installed Collector

Required Tables

_sourceCategory=*windows*_sourceCategory=*sysmon*

False Positives & Tuning

  • Legitimate build pipelines on developer machines that invoke MSBuild from cmd.exe or PowerShell terminal sessions
  • MSBuild used by game development tools (Unity, Unreal) or audio plugins that write temporary project files to AppData during asset compilation
  • IT automation scripts that invoke MSBuild as part of patch management or software deployment workflows from explorer.exe or scripted wrappers
Download portable Sigma rule (.yml)

Other platforms for T1127.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1MSBuild Inline Task Execution via CodeTaskFactory

    Expected signal: Sysmon Event ID 1: MSBuild.exe process creation with CommandLine referencing the .csproj file in %TEMP%. Sysmon Event ID 1: cmd.exe spawned with ParentImage=MSBuild.exe executing 'whoami'. Sysmon Event ID 11: File creation for df00tech-msbuild-output.txt. Security Event ID 4688 (if command line auditing enabled) for both MSBuild.exe and cmd.exe.

  2. Test 2MSBuild Launched from PowerShell with Temp Path Project File

    Expected signal: Sysmon Event ID 1: powershell.exe process creation writing the project file. Sysmon Event ID 11: File creation for df00tech-ps-build.xml in %TEMP%. Sysmon Event ID 1: MSBuild.exe process creation with ParentImage=powershell.exe and CommandLine referencing .xml file in %TEMP%. Sysmon Event ID 11: File creation for df00tech-executed.txt confirming inline task execution.

  3. Test 3MSBuild with Unusual Project File Extension

    Expected signal: Sysmon Event ID 1: MSBuild.exe with CommandLine referencing a .txt file in %APPDATA%. Sysmon Event ID 11: File creation for df00tech-config.txt in %APPDATA%. Sysmon Event ID 11: File creation for df00tech-recon.txt in %TEMP% confirming successful inline task execution. Sysmon Event ID 12/13: Registry key access under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion.

  4. Test 4MSBuild RoslynCodeTaskFactory Inline Execution

    Expected signal: Sysmon Event ID 1: MSBuild.exe launched from Visual Studio or Framework path with CommandLine referencing .csproj in %TEMP%. Sysmon Event ID 7: Image Load events for Roslyn compiler DLLs (Microsoft.CodeAnalysis.CSharp.dll) loaded into MSBuild.exe process — this is a key differentiator for Roslyn-based attacks. Sysmon Event ID 11: File creation of df00tech-roslyn-executed.txt confirming successful execution.

Last updated: 2026-04-18 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1127.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1127Trusted Developer Utilities Proxy Execution

Related Sub-techniques

T1127.002ClickOnceT1127.003JamPlus

Related Techniques

T1127Trusted Developer Utilities Proxy ExecutionT1127.002ClickOnceT1059.001PowerShellT1059.003Windows Command ShellT1218System Binary Proxy ExecutionT1055Process InjectionT1027.009Embedded PayloadsT1036MasqueradingT1105Ingress Tool TransferT1562.001Disable or Modify Tools

Same Tactic: Defense Evasion

Popular Detections