MSBuild.exe

  • File Path: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  • Description: MSBuild.exe
  • Comments: Flavor=Retail

Hashes

Type Hash
MD5 D10A3CFCC08AAE3A7234498F213CF89E
SHA1 CCAE4469A3A05FCB6E7AF33019CA5357E5406DDA
SHA256 0DA56BD07A486818B7735761001CC1D3CA5AF645F369A3C206BCB6719FEFFF06
SHA384 4211279788CF5A0188183AD8D8AD0DDCF6EA193E16C8C8BA45A918B791FCB03E57E49EBC19511A490A0C49179113E7F5
SHA512 90A4A68B45113360D732CCAC7698C74AA550C05D9883D287B808982800FCE1A24ABF69CF06B0F017BABD647CAFD3CA10AA894C59E6DAB8BA1FF34C639BDF6427
SSDEEP 3072:sa0t0yH5wCwie3NnQNLpj/Wnqvsw2XpFU4rwOeNubZSpf02RFirx2ux5a88:70ny3nnKpqnZRXf2p02bilrvU
IMP F34D5F2D4577ED6D9CEEC516C1F5A744
PESHA1 6A8525BE938D0B6F17764220B32768493E52932C
PE256 C72985B8077D5C5374C5F701FB75293881C132FC55CA080DE7310EC381CE2FB1

Runtime Data

Usage (stdout):

Microsoft (R) Build Engine version 4.8.4161.0
[Microsoft .NET Framework, version 4.0.30319.42000]
Copyright (C) Microsoft Corporation. All rights reserved.

Syntax:              MSBuild.exe [options] [project file]

Description:         Builds the specified targets in the project file. If
                     a project file is not specified, MSBuild searches the
                     current working directory for a file that has a file
                     extension that ends in "proj" and uses that file.

Switches:

  /target:<targets>  Build these targets in this project. Use a semicolon or a
                     comma to separate multiple targets, or specify each
                     target separately. (Short form: /t)
                     Example:
                       /target:Resources;Compile

  /property:<n>=<v>  Set or override these project-level properties. <n> is
                     the property name, and <v> is the property value. Use a
                     semicolon or a comma to separate multiple properties, or
                     specify each property separately. (Short form: /p)
                     Example:
                       /property:WarningLevel=2;OutDir=bin\Debug\

  /maxcpucount[:n]   Specifies the maximum number of concurrent processes to 
                     build with. If the switch is not used, the default
                     value used is 1. If the switch is used without a value
                     MSBuild will use up to the number of processors on the 
                     computer. (Short form: /m[:n])
      
  /toolsversion:<version>
                     The version of the MSBuild Toolset (tasks, targets, etc.)
                     to use during build. This version will override the 
                     versions specified by individual projects. (Short form: 
                     /tv)
                     Example:
                       /toolsversion:3.5
   
  /verbosity:<level> Display this amount of information in the event log.
                     The available verbosity levels are: q[uiet], m[inimal],
                     n[ormal], d[etailed], and diag[nostic]. (Short form: /v)
                     Example:
                       /verbosity:quiet

  /consoleloggerparameters:<parameters>
                     Parameters to console logger. (Short form: /clp)
                     The available parameters are:
                        PerformanceSummary--Show time spent in tasks, targets
                            and projects.
                        Summary--Show error and warning summary at the end.
                        NoSummary--Don't show error and warning summary at the
                            end.
                        ErrorsOnly--Show only errors.
                        WarningsOnly--Show only warnings.
                        NoItemAndPropertyList--Don't show list of items and
                            properties at the start of each project build.    
                        ShowCommandLine--Show TaskCommandLineEvent messages  
                        ShowTimestamp--Display the Timestamp as a prefix to any
                            message.                                           
                        ShowEventId--Show eventId for started events, finished 
                            events, and messages
                        ForceNoAlign--Does not align the text to the size of
                            the console buffer
                        DisableConsoleColor--Use the default console colors
                            for all logging messages.
                        DisableMPLogging-- Disable the multiprocessor
                            logging style of output when running in 
                            non-multiprocessor mode.
                        EnableMPLogging--Enable the multiprocessor logging
                            style even when running in non-multiprocessor
                            mode. This logging style is on by default. 
                        Verbosity--overrides the /verbosity setting for this
                            logger.
                     Example:
                        /consoleloggerparameters:PerformanceSummary;NoSummary;
                                                 Verbosity=minimal

  /noconsolelogger   Disable the default console logger and do not log events
                     to the console. (Short form: /noconlog)

  /fileLogger[n]     Logs the build output to a file. By default
                     the file is in the current directory and named 
                     "msbuild[n].log". Events from all nodes are combined into
                     a single log. The location of the file and other
                     parameters for the fileLogger can be specified through 
                     the addition of the "/fileLoggerParameters[n]" switch.
                     "n" if present can be a digit from 1-9, allowing up to 
                     10 file loggers to be attached. (Short form: /fl[n])
    
  /fileloggerparameters[n]:<parameters>                                
                     Provides any extra parameters for file loggers.
                     The presence of this switch implies the 
                     corresponding /filelogger[n] switch.
                     "n" if present can be a digit from 1-9.
                     /fileloggerparameters is also used by any distributed
                     file logger, see description of /distributedFileLogger.
                     (Short form: /flp[n])
                     The same parameters listed for the console logger are
                     available. Some additional available parameters are:
                        LogFile--path to the log file into which the
                            build log will be written.
                        Append--determines if the build log will be appended
                            to or overwrite the log file. Setting the
                            switch appends the build log to the log file;
                            Not setting the switch overwrites the 
                            contents of an existing log file. 
                            The default is not to append to the log file.
                        Encoding--specifies the encoding for the file, 
                            for example, UTF-8, Unicode, or ASCII
                     Default verbosity is Detailed.
                     Examples:
                       /fileLoggerParameters:LogFile=MyLog.log;Append;
                                           Verbosity=diagnostic;Encoding=UTF-8

                       /flp:Summary;Verbosity=minimal;LogFile=msbuild.sum 
                       /flp1:warningsonly;logfile=msbuild.wrn 
                       /flp2:errorsonly;logfile=msbuild.err
    
  /distributedlogger:<central logger>*<forwarding logger>                     
                     Use this logger to log events from MSBuild, attaching a
                     different logger instance to each node. To specify
                     multiple loggers, specify each logger separately. 
                     (Short form /dl)
                     The <logger> syntax is:
                       [<logger class>,]<logger assembly>[;<logger parameters>]
                     The <logger class> syntax is:
                       [<partial or full namespace>.]<logger class name>
                     The <logger assembly> syntax is:
                       {<assembly name>[,<strong name>] | <assembly file>}
                     The <logger parameters> are optional, and are passed
                     to the logger exactly as you typed them. (Short form: /l)
                     Examples:
                       /dl:XMLLogger,MyLogger,Version=1.0.2,Culture=neutral
                       /dl:MyLogger,C:\My.dll*ForwardingLogger,C:\Logger.dll

  /distributedFileLogger                                                       
                     Logs the build output to multiple log files, one log file
                     per MSBuild node. The initial location for these files is
                     the current directory. By default the files are called 
                     "MSBuild<nodeid>.log". The location of the files and
                     other parameters for the fileLogger can be specified 
                     with the addition of the "/fileLoggerParameters" switch.

                     If a log file name is set through the fileLoggerParameters
                     switch the distributed logger will use the fileName as a 
                     template and append the node id to this fileName to 
                     create a log file for each node.
    
  /logger:<logger>   Use this logger to log events from MSBuild. To specify
                     multiple loggers, specify each logger separately.
                     The <logger> syntax is:
                       [<logger class>,]<logger assembly>[;<logger parameters>]
                     The <logger class> syntax is:
                       [<partial or full namespace>.]<logger class name>
                     The <logger assembly> syntax is:
                       {<assembly name>[,<strong name>] | <assembly file>}
                     The <logger parameters> are optional, and are passed
                     to the logger exactly as you typed them. (Short form: /l)
                     Examples:
                       /logger:XMLLogger,MyLogger,Version=1.0.2,Culture=neutral
                       /logger:XMLLogger,C:\Loggers\MyLogger.dll;OutputAsHTML

  /validate          Validate the project against the default schema. (Short
                     form: /val)

  /validate:<schema> Validate the project against the specified schema. (Short
                     form: /val)
                     Example:
                       /validate:MyExtendedBuildSchema.xsd

  /ignoreprojectextensions:<extensions>
                     List of extensions to ignore when determining which 
                     project file to build. Use a semicolon or a comma 
                     to separate multiple extensions.
                     (Short form: /ignore)
                     Example:
                       /ignoreprojectextensions:.sln
    
  /nodeReuse:<parameters>
                     Enables or Disables the reuse of MSBuild nodes.
                     The parameters are:
                     True --Nodes will remain after the build completes
                            and will be reused by subsequent builds (default)
                     False--Nodes will not remain after the build completes
                     (Short form: /nr)
                     Example:
                       /nr:true
    
  /preprocess[:file] 
                     Creates a single, aggregated project file by
                     inlining all the files that would be imported during a
                     build, with their boundaries marked. This can be
                     useful for figuring out what files are being imported
                     and from where, and what they will contribute to
                     the build. By default the output is written to
                     the console window. If the path to an output file 
                     is provided that will be used instead.
                     (Short form: /pp)
                     Example:
                       /pp:out.txt
    
  /detailedsummary 
                     Shows detailed information at the end of the build
                     about the configurations built and how they were
                     scheduled to nodes. 
                     (Short form: /ds)
    
  @<file>            Insert command-line settings from a text file. To specify
                     multiple response files, specify each response file
                     separately.
                     
                     Any response files named "msbuild.rsp" are automatically 
                     consumed from the following locations: 
                     (1) the directory of msbuild.exe
                     (2) the directory of the first project or solution built

  /noautoresponse    Do not auto-include any MSBuild.rsp files. (Short form:
                     /noautorsp)

  /nologo            Do not display the startup banner and copyright message.

  /version           Display version information only. (Short form: /ver)

  /help              Display this usage message. (Short form: /? or /h)

Examples:

        MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
        MSBuild MyApp.csproj /t:Clean 
                             /p:Configuration=Debug;TargetFrameworkVersion=v3.5
    

Loaded Modules:

Path
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: MSBuild.exe
  • Product Name: Microsoft .NET Framework
  • Company Name: Microsoft Corporation
  • File Version: 4.8.4161.0 built by: NET48REL1
  • Product Version: 4.8.4161.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/72
  • VirusTotal Link: https://www.virustotal.com/gui/file/0da56bd07a486818b7735761001cc1d3ca5af645f369a3c206bcb6719fefff06/detection

File Similarity (ssdeep match)

File Score
C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe 74

Possible Misuse

The following table contains possible examples of MSBuild.exe being misused. While MSBuild.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_remote_thread.yml - '\msbuild.exe' DRL 1.0
sigma file_event_win_win_shell_write_susp_directory.yml - '\msbuild.exe' # https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml - '\msbuild.exe' DRL 1.0
sigma net_connection_win_silenttrinity_stager_msbuild_activity.yml title: Silenttrinity Stager Msbuild Activity DRL 1.0
sigma net_connection_win_silenttrinity_stager_msbuild_activity.yml Image\|endswith: '\msbuild.exe' DRL 1.0
sigma proc_creation_win_office_shell.yml - '\msbuild.exe' # https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml DRL 1.0
sigma proc_creation_win_outlook_shell.yml - '\msbuild.exe' # https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml DRL 1.0
sigma proc_creation_win_possible_applocker_bypass.yml - '\msbuild.exe' DRL 1.0
sigma proc_creation_win_script_event_consumer_spawn.yml - '\msbuild.exe' DRL 1.0
sigma proc_creation_win_susp_emotet_rundll32_execution.yml - '\tracker.exe' #When Visual Studio compile NodeJS program, it might use MSBuild to create tracker.exe and then, the tracker.exe fork rundll32.exe DRL 1.0
LOLBAS Msbuild.yml Name: Msbuild.exe  
LOLBAS Msbuild.yml - Command: msbuild.exe pshell.xml  
LOLBAS Msbuild.yml - Command: msbuild.exe project.csproj  
LOLBAS Msbuild.yml - Command: msbuild.exe @sample.rsp  
LOLBAS Msbuild.yml - Command: msbuild.exe /logger:TargetLogger,C:\Loggers\TargetLogger.dll;MyParameters,Foo  
LOLBAS Msbuild.yml - Command: msbuild.exe project.proj  
LOLBAS Msbuild.yml Description: Execute jscript/vbscript code through XML/XSL Transformation. Requires Visual Studio MSBuild v14.0+.  
LOLBAS Msbuild.yml - Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\Msbuild.exe  
LOLBAS Msbuild.yml - Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Msbuild.exe  
LOLBAS Msbuild.yml - Path: C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe  
LOLBAS Msbuild.yml - Path: C:\Windows\Microsoft.NET\Framework64\v3.5\Msbuild.exe  
LOLBAS Msbuild.yml - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe  
LOLBAS Msbuild.yml - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe  
LOLBAS Msbuild.yml - Path: C:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe  
LOLBAS Msbuild.yml - IOC: Msbuild.exe should not normally be executed on workstations  
LOLBAS Msbuild.yml - Link: https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/  
LOLBAS Msbuild.yml - Link: https://www.daveaglick.com/posts/msbuild-loggers-and-logging-events  
LOLBAS Csi.yml - Path: c:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\Roslyn\csi.exe  
LOLBAS Dotnet.yml - Command: dotnet.exe msbuild [Path_TO_XML_CSPROJ]  
LOLBAS Dotnet.yml Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code  
atomic-red-team index.md - T1127.001 MSBuild MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1127.001 MSBuild MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows] MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | Port Monitors | Scheduled Task/Job CONTRIBUTE A TEST | MSBuild | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | PowerShell Profile | Scheduled Task/Job CONTRIBUTE A TEST | MSBuild | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team T1127.001.md # T1127.001 - MSBuild MIT License. © 2018 Red Canary
atomic-red-team T1127.001.md <blockquote>Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild) MIT License. © 2018 Red Canary
atomic-red-team T1127.001.md Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file.(Citation: MSDN MSBuild)(Citation: Microsoft MSBuild Inline Tasks 2017) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1127.001.md - Atomic Test #1 - MSBuild Bypass Using Inline Tasks (C#) MIT License. © 2018 Red Canary
atomic-red-team T1127.001.md - Atomic Test #2 - MSBuild Bypass Using Inline Tasks (VB) MIT License. © 2018 Red Canary
atomic-red-team T1127.001.md ## Atomic Test #1 - MSBuild Bypass Using Inline Tasks (C#) MIT License. © 2018 Red Canary
atomic-red-team T1127.001.md Executes the code in a project file using msbuild.exe. The default C# project example file (T1127.001.csproj) will simply print “Hello From a Code Fragment” and “Hello From a Class.” to the screen. MIT License. © 2018 Red Canary
atomic-red-team T1127.001.md | msbuildpath | Default location of MSBuild | Path | C:\Windows\Microsoft.NET\Framework\v4.0.30319| MIT License. © 2018 Red Canary
atomic-red-team T1127.001.md | msbuildname | Default name of MSBuild | Path | msbuild.exe| MIT License. © 2018 Red Canary
atomic-red-team T1127.001.md ## Atomic Test #2 - MSBuild Bypass Using Inline Tasks (VB) MIT License. © 2018 Red Canary
atomic-red-team T1127.001.md Executes the code in a project file using msbuild.exe. The default Visual Basic example file (vb.xml) will simply print “Hello from a Visual Basic inline task!” to the screen. MIT License. © 2018 Red Canary
signature-base gen_url_persitence.yar $file1 = /\x0a\x0d\s=[^\x0d](powershell|cmd|certutil|mshta|wscript|cscript|rundll32|wmic|regsvr32|msbuild)(.exe|)[^\x0d]{2,50}\x0d/ nocase CC BY-NC 4.0
signature-base thor-hacktools.yar Identifier: MSBuild Katz-XML CC BY-NC 4.0
signature-base thor-hacktools.yar description = “Detects an XML that executes Mimikatz on an endpoint via MSBuild” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.