MSBuild

MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It takes XML formatted project files that define requirements for building various platforms and configurations. Adversaries can use MSBuild to proxy execution of code through a trusted Windows utility. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into the XML project file. MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application whitelisting defenses that are configured to allow MSBuild.exe execution. You can read more about this attacker technique at https://attack.mitre.org/wiki/Technique/T1127.

The Veramine detection engine reports this pattern of MSBuild.exe usage by detecting the behavior pattern. Here is an example of a malicious MSBuild.exe:

The Veramine detection engine is able to detect this pattern due to its low level visibility into process image loads. You can test this both the Veramine product and similar host-based detection products by downloading and modifying the examples MSBuild scripts at https://gist.github.com/subTee/17a3187a26d784881e438a3df7698fc4, https://gist.github.com/subTee/5babd6b9a1a04ff5a22f10944d119520, and https://gist.githubusercontent.com/subTee/ca477b4d19c885bec05ce238cbad6371/raw/c9b725a68be98cdae5a957bf121a7653c061b9c7/katz.csproj.