Common Information
| Type | Value |
|---|---|
| Value |
MSBuild - T1127.001 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild) Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file.(Citation: MSDN MSBuild)(Citation: Microsoft MSBuild Inline Tasks 2017) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild) |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-11-14 | 3 | FakeBat Loader is Back With New Tactics and Payload – | ||
| Details | Website | 2024-11-11 | 21 | Fakebat Loader IOCs - SEC-1275-1 | ||
| Details | Website | 2024-11-08 | 23 | Hello again, FakeBat: popular loader returns after months-long hiatus | ||
| Details | Website | 2024-11-08 | 23 | Hello again, FakeBat: popular loader returns after months-long hiatus | Malwarebytes | ||
| Details | Website | 2024-11-07 | 18 | SUNSPOT Malware: A Technical Analysis | CrowdStrike | ||
| Details | Website | 2024-10-30 | 72 | LockBit Threat Group Profiling | ||
| Details | Website | 2024-10-24 | 40 | ValleyRAT Insights: Tactics, Techniques, and Detection Methods | Splunk | ||
| Details | Website | 2024-10-17 | 19 | Spec-tac-ula Deserialization: Deploying Specula with .NET | ||
| Details | Website | 2024-10-15 | 8 | HORUS Protector Delivering AgentTesla, Remcos, Snake, Malware | ||
| Details | Website | 2024-10-15 | 8 | Horus FUD IOCs - SEC-1275-1 | ||
| Details | Website | 2024-10-08 | 29 | Cuckoo Spear Campaign IOCs - II - SEC-1275-1 | ||
| Details | Website | 2024-09-26 | 53 | BBTok Targeting Brazil: Deobfuscating the .NET Loader with dnlib and PowerShell | ||
| Details | Website | 2024-09-24 | 12 | Analyzing the Newest Turla Backdoor Through the Eyes of Hybrid Analysis | ||
| Details | Website | 2024-09-23 | 3 | Cuckoo Spear Campaign IOCs - SEC-1275-1 | ||
| Details | Website | 2024-09-19 | 2 | New Brazilian-Linked SambaSpy Malware Targets Italian Users via Phishing Emails | ||
| Details | Website | 2024-09-19 | 2 | New Brazilian-Linked SambaSpy Malware Targets Italian Users via Phishing Emails - RedPacket Security | ||
| Details | Website | 2024-09-17 | 56 | Банковские трояны: Mekotio, BBTok и Grandoreiro - SEC-1275-1 | ||
| Details | Website | 2024-09-07 | 1 | Cybercriminals Target LatAm Banks: Mekotio, BBTok Lead the Charge | ||
| Details | Website | 2024-09-06 | 4 | BBTok Abuses Legitimate Windows Utility Command Tool | ||
| Details | Website | 2024-09-05 | 1 | Banking Trojans: Mekotio Looks to Expand Targets, BBTok Abuses Utility Command | ||
| Details | Website | 2024-09-05 | 5 | Banking Trojans Mekotio Looks to Expand Targets, BBTok Abuses Utility Command | ||
| Details | Website | 2024-08-26 | 15 | TA558 Targeting Brazil | ||
| Details | Website | 2024-08-20 | 6 | New ValleyRAT Campaign Spotted with Advanced Techniques - ANY.RUN's Cybersecurity Blog | ||
| Details | Website | 2024-08-16 | 48 | The Abuse of ITarian RMM by Dolphin Loader – RussianPanda Research Blog | ||
| Details | Website | 2024-08-14 | 41 | Multiple Malware Dropped Through MSI Package - SANS Internet Storm Center |