Common Information
| Type | Value |
|---|---|
| Value |
MSBuild - T1127.001 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild) Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file.(Citation: MSDN MSBuild)(Citation: Microsoft MSBuild Inline Tasks 2017) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild) |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-08-13 | 21 | Common Malware Loaders - ReliaQuest | ||
| Details | Website | 2024-08-12 | 3 | Macaw Ransomware | ||
| Details | Website | 2024-07-16 | 89 | MirrorFace Attack against Japanese Organisations - JPCERT/CC Eyes | ||
| Details | Website | 2024-07-11 | 340 | Malicious NuGet campaign uses homoglyphs and IL weaving to fool devs | ||
| Details | Website | 2024-06-20 | 48 | 疑似Kimsuky (APT-Q-2) 以军工招聘为饵攻击欧洲 | ||
| Details | Website | 2024-05-29 | 72 | Malware Analysis: Blind Eagle's North American Journey | ||
| Details | Website | 2024-05-28 | 15 | DLL Side Loading through IObit against Colombia | ||
| Details | Website | 2024-03-25 | 105 | NanoCore Update | ||
| Details | Website | 2024-03-22 | 35 | Unveiling KamiKakaBot - Malware Analysis - Nextron Systems | ||
| Details | Website | 2024-02-26 | 186 | Ransomware Roundup – Abyss Locker | FortiGuard Labs | ||
| Details | Website | 2024-02-04 | 30 | Pony | Fareit | ||
| Details | Website | 2024-01-24 | 27 | CUCKOO SPEAR Part 1: Analyzing NOOPDOOR from an IR Perspective | ||
| Details | Website | 2024-01-01 | 1 | Cuckoo Spear – the latest Nation-state Threat Actor targeting Japanese companies | ||
| Details | Website | 2024-01-01 | 46 | Bitter Pill: Pharmaceutical Vendor Linked to Pharmacy and Health Clinic Cyberattack | Huntress | ||
| Details | Website | 2024-01-01 | 81 | CUCKOO SPEAR Part 2: Threat Actor Arsenal | ||
| Details | Website | 2023-11-17 | 80 | WinRAR CVE-2023-38831 Vulnerability: Malware Exploits & APT Attacks | ||
| Details | Website | 2023-11-09 | 0 | 'BlazeStealer' Malware Delivered to Python Developers Looking for Obfuscation Tools | ||
| Details | Website | 2023-11-06 | 106 | 安全事件周报 2023-10-30 第44周 - 360CERT | ||
| Details | Website | 2023-11-06 | 9 | Rewterz Threat Update – SeroXen RAT Malware Distributed via Malicious NuGet Packages | ||
| Details | Website | 2023-11-02 | 139 | Вредоносные пакеты NuGet используют лазейку в интеграции с MSBuild - SEC-1275-1 | ||
| Details | Website | 2023-11-01 | 3 | Hackers Abuse NuGet Packages to Deliver SeroXen RAT | ||
| Details | Website | 2023-11-01 | 8 | Malicious NuGet packages abuse MSBuild to install malware - RedPacket Security | ||
| Details | Website | 2023-11-01 | 85 | Dark Pink | ||
| Details | Website | 2023-11-01 | 0 | Malicious NuGet Packages Abuse MSBuild Integrations for Code Execution | Antivirus and Security news | ||
| Details | Website | 2023-11-01 | 0 | Iranian Cyber Spies Use 'LionTail' Malware in Latest Attacks |