{
	"id": "5c14a932-691b-4547-a962-cccaa4fe2731",
	"created_at": "2026-04-06T00:16:57.124437Z",
	"updated_at": "2026-04-10T13:12:38.100935Z",
	"deleted_at": null,
	"sha1_hash": "ae06c9e78205c3713743d09b94d97b947a34d90e",
	"title": "Msbuild on LOLBAS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 67459,
	"plain_text": "Msbuild on LOLBAS\r\nArchived: 2026-04-05 18:14:03 UTC\r\n.. /Msbuild.exe\r\nUsed to compile and execute code\r\nPaths:\r\nC:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Msbuild.exe\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\Msbuild.exe\r\nC:\\Windows\\Microsoft.NET\\Framework\\v3.5\\Msbuild.exe\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v3.5\\Msbuild.exe\r\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Msbuild.exe\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Msbuild.exe\r\nC:\\Program Files (x86)\\MSBuild\\14.0\\bin\\MSBuild.exe\r\nResources:\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md\r\nhttps://github.com/Cn33liz/MSBuildShell\r\nhttps://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/\r\nhttps://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/\r\nhttps://gist.github.com/bohops/4ffc43a281e87d108875f07614324191\r\nhttps://github.com/LOLBAS-Project/LOLBAS/issues/165\r\nhttps://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-response-files\r\nhttps://www.daveaglick.com/posts/msbuild-loggers-and-logging-events\r\nAcknowledgements:\r\nCasey Smith (@subtee)\r\nCn33liz (@Cneelis)\r\nJimmy (@bohops)\r\nDetections:\r\nSigma: file_event_win_shell_write_susp_directory.yml\r\nSigma: proc_creation_win_msbuild_susp_parent_process.yml\r\nSigma: net_connection_win_silenttrinity_stager_msbuild_activity.yml\r\nSplunk: suspicious_msbuild_spawn.yml\r\nSplunk: suspicious_msbuild_rename.yml\r\nSplunk: msbuild_suspicious_spawned_by_script_process.yml\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Msbuild/\r\nPage 1 of 4\n\nElastic: defense_evasion_msbuild_beacon_sequence.toml\r\nElastic: defense_evasion_msbuild_making_network_connections.toml\r\nElastic: defense_evasion_execution_msbuild_started_by_script.toml\r\nElastic: defense_evasion_execution_msbuild_started_by_office_app.toml\r\nElastic: defense_evasion_execution_msbuild_started_renamed.toml\r\nBlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules\r\nIOC: Msbuild.exe should not normally be executed on workstations\r\nAWL bypass\r\n1. Build and execute a C# project stored in the target XML file.\r\nmsbuild.exe file.xml\r\nUse case\r\nCompile and run code\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1127.001: MSBuild\r\nTags\r\nExecute: CSharp\r\nExecute\r\n1. Build and execute a C# project stored in the target csproj file.\r\nmsbuild.exe file.csproj\r\nUse case\r\nCompile and run code\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Msbuild/\r\nPage 2 of 4\n\nT1127.001: MSBuild\r\nTags\r\nExecute: CSharp\r\n2. Executes generated Logger DLL file with TargetLogger export.\r\nmsbuild.exe /logger:TargetLogger,C:\\Windows\\Temp\\file.dll;MyParameters,Foo\r\nUse case\r\nExecute DLL\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1127.001: MSBuild\r\nTags\r\nExecute: DLL\r\n3. Execute JScript/VBScript code through XML/XSL Transformation. Requires Visual Studio MSBuild\r\nv14.0+.\r\nmsbuild.exe file.proj\r\nUse case\r\nExecute project file that contains XslTransformation tag parameters\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1127.001: MSBuild\r\nTags\r\nExecute: XSL\r\n4. By putting any valid msbuild.exe command-line options in an RSP file and calling it as above will interpret\r\nthe options as if they were passed on the command line.\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Msbuild/\r\nPage 3 of 4\n\nmsbuild.exe @file.rsp\r\nUse case\r\nBypass command-line based detections\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1036: Masquerading\r\nTags\r\nExecute: CMD\r\nSource: https://lolbas-project.github.io/lolbas/Binaries/Msbuild/\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Msbuild/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://lolbas-project.github.io/lolbas/Binaries/Msbuild/"
	],
	"report_names": [
		"Msbuild"
	],
	"threat_actors": [],
	"ts_created_at": 1775434617,
	"ts_updated_at": 1775826758,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ae06c9e78205c3713743d09b94d97b947a34d90e.pdf",
		"text": "https://archive.orkl.eu/ae06c9e78205c3713743d09b94d97b947a34d90e.txt",
		"img": "https://archive.orkl.eu/ae06c9e78205c3713743d09b94d97b947a34d90e.jpg"
	}
}