Msbuild (1f500e4c-25a1-4570-a3ba-5c9cd463afde)
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used to compile and execute code
Author: Oddvar Moe
Paths: * C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe * C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe * C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe * C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe * C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe * C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe * C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe
Resources: * https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md * https://github.com/Cn33liz/MSBuildShell * https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/ * https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ * https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191 * https://github.com/LOLBAS-Project/LOLBAS/issues/165 * https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-response-files * https://www.daveaglick.com/posts/msbuild-loggers-and-logging-events
Detection: * Sigma: file_event_win_shell_write_susp_directory.yml * Sigma: proc_creation_win_msbuild_susp_parent_process.yml * Sigma: net_connection_win_silenttrinity_stager_msbuild_activity.yml * Splunk: suspicious_msbuild_spawn.yml * Splunk: suspicious_msbuild_rename.yml * Splunk: msbuild_suspicious_spawned_by_script_process.yml * Elastic: defense_evasion_msbuild_beacon_sequence.toml * Elastic: defense_evasion_msbuild_making_network_connections.toml * Elastic: defense_evasion_execution_msbuild_started_by_script.toml * Elastic: defense_evasion_execution_msbuild_started_by_office_app.toml * Elastic: defense_evasion_execution_msbuild_started_renamed.toml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: Msbuild.exe should not normally be executed on workstations[LOLBAS Msbuild]
Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
---|---|---|---|---|
MirrorFace (a59f3dd2-7685-4442-894c-bbb068540321) | Tidal Groups | Msbuild (1f500e4c-25a1-4570-a3ba-5c9cd463afde) | Tidal Software | 1 |