msbuild
|
LOLBAS
Tags
| attack-pattern: | Msbuild - T1127.001 Trusted Developer Utilities Proxy Execution - T1127 |
Common Information
| Type | Value |
|---|---|
| UUID | 96ce3612-5442-4deb-b902-70003f0064b6 |
| Fingerprint | 948ee95eff2e7cda |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Dec. 13, 2017, midnight |
| Added to db | Sept. 26, 2022, 9:31 a.m. |
| Last updated | Nov. 18, 2024, 2:36 a.m. |
| Headline | .. / Msbuild.exe Star |
| Title | msbuild | LOLBAS |
| Detected Hints/Tags/Attributes | 17/1/45 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://lolbas-project.github.io/lolbas/Binaries/Msbuild/ |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 285 | microsoft.net |
|
| Details | Domain | 4128 | github.com |
|
| Details | Domain | 1 | t1127.md |
|
| Details | Domain | 10 | pentestlab.blog |
|
| Details | Domain | 12 | oddvar.moe |
|
| Details | Domain | 221 | gist.github.com |
|
| Details | Domain | 1 | www.daveaglick.com |
|
| Details | File | 149 | msbuild.exe |
|
| Details | File | 3 | pshell.xml |
|
| Details | File | 1 | project.cs |
|
| Details | File | 1 | c:\loggers\targetlogger.dll |
|
| Details | Github username | 17 | redcanaryco |
|
| Details | Github username | 4 | cn33liz |
|
| Details | Github username | 1 | bohops |
|
| Details | Github username | 3 | lolbas-project |
|
| Details | Github username | 27 | sigmahq |
|
| Details | Github username | 5 | splunk |
|
| Details | Github username | 17 | elastic |
|
| Details | md5 | 1 | 4ffc43a281e87d108875f07614324191 |
|
| Details | sha1 | 2 | a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254 |
|
| Details | sha1 | 1 | 5a3af872d86903c13e508348f54e3b519eb01dce |
|
| Details | sha1 | 2 | 18f63553a9dc1a34122fa123deae2b2f9b9ea391 |
|
| Details | sha1 | 1 | a1afa0fa605639cbef7d528dec46ce7c8112194a |
|
| Details | sha1 | 1 | 61afb1c1c0c3f50637b1bb194f3e6fb09f476e50 |
|
| Details | sha1 | 1 | ef7548f04c4341e0d1a172810330d59453f46a21 |
|
| Details | MITRE ATT&CK Techniques | 23 | T1127 |
|
| Details | MITRE ATT&CK Techniques | 10 | T1127.001 |
|
| Details | Url | 1 | https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/t1127/t1127.md |
|
| Details | Url | 2 | https://github.com/cn33liz/msbuildshell |
|
| Details | Url | 1 | https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild |
|
| Details | Url | 4 | https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1 |
|
| Details | Url | 1 | https://gist.github.com/bohops/4ffc43a281e87d108875f07614324191 |
|
| Details | Url | 1 | https://github.com/lolbas-project/lolbas/issues/165 |
|
| Details | Url | 1 | https://www.daveaglick.com/posts/msbuild-loggers-and-logging-events |
|
| Details | Url | 2 | https://github.com/sigmahq/sigma/blob/a04fbe2a99f1dcbbfeb0ee4957ae4b06b0866254/rules/windows/process_creation/win_possible_applocker_bypass.yml |
|
| Details | Url | 1 | https://github.com/sigmahq/sigma/blob/5a3af872d86903c13e508348f54e3b519eb01dce/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml |
|
| Details | Url | 1 | https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_msbuild_spawn.yml |
|
| Details | Url | 1 | https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_msbuild_rename.yml |
|
| Details | Url | 1 | https://github.com/splunk/security_content/blob/a1afa0fa605639cbef7d528dec46ce7c8112194a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml |
|
| Details | Url | 1 | https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_msbuild_beacon_sequence.toml |
|
| Details | Url | 1 | https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_msbuild_making_network_connections.toml |
|
| Details | Url | 1 | https://github.com/elastic/detection-rules/blob/ef7548f04c4341e0d1a172810330d59453f46a21/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml |
|
| Details | Url | 1 | https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml |
|
| Details | Url | 1 | https://github.com/elastic/detection-rules/blob/61afb1c1c0c3f50637b1bb194f3e6fb09f476e50/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml |
|
| Details | Url | 3 | https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules |