Trusted Developer Utilities Proxy Execution: MSBuild
Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild) Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file.(Citation: MSDN MSBuild)(Citation: Microsoft MSBuild Inline Tasks 2017) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)
Примеры процедур |
|
Название | Описание |
---|---|
PlugX |
A version of PlugX loads as shellcode within a .NET Framework project using msbuild.exe, presumably to bypass application control techniques.(Citation: Palo Alto PlugX June 2017) |
Empire |
Empire can use built-in modules to abuse trusted utilities like MSBuild.exe.(Citation: Github PowerShell Empire) |
Frankenstein |
Frankenstein has used MSbuild to execute an actor-created file.(Citation: Talos Frankenstein June 2019) |
During Frankenstein, the threat actors used MSbuild to execute an actor-created file.(Citation: Talos Frankenstein June 2019) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Disable or Remove Feature or Program |
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries. |
Execution Prevention |
Block execution of code on a system through application control, and/or script blocking. |
Обнаружение
Use process monitoring to monitor the execution and arguments of MSBuild.exe. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.
Ссылки
- Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
- LOLBAS. (n.d.). Msbuild.exe. Retrieved July 31, 2019.
- Microsoft. (2017, September 21). MSBuild inline tasks. Retrieved March 5, 2021.
- Microsoft. (n.d.). MSBuild1. Retrieved November 30, 2016.
- Lancaster, T. and Idrizovic, E.. (2017, June 27). Paranoid PlugX. Retrieved July 13, 2017.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- Coulter, D. et al.. (2019, April 9). Microsoft recommended block rules. Retrieved August 12, 2021.
Связанные риски
Риск | Связи | |
---|---|---|
Обход систем защиты из-за
возможности выполнения кода через утилиту разработчика MSBuild в ОС Windows
Повышение привилегий
Целостность
|
|
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.