Find sigma rule

Attack: Trusted Developer Utilities Proxy Execution: MSBuild

Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild)

Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file.(Citation: MSDN MSBuild)(Citation: Microsoft MSBuild Inline Tasks 2017) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)

MITRE

Tactic

defense-evasion

technique

T1127.001

Test : MSBuild Bypass Using Inline Tasks (VB)

OS

windows

Description:

Executes the code in a project file using msbuild.exe. The default Visual Basic example file (vb.xml) will simply print “Hello from a Visual Basic inline task!” to the screen.

Executor

command_prompt

Sigma Rule

file_event_win_csharp_compile_artefact.yml (id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0)
proc_creation_win_lolbin_visual_basic_compiler.yml (id: 7b10f171-7f04-47c7-9fa2-5be43c76e535)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test