Windows

Msbuild.exeMsbuild.exe

Platform
Windows
Abuse functions
5
Mapped techniques
2

Description

Msbuild.exe is a Windows living-off-the-land binary catalogued by the LOLBAS Project. Documented abuse functions: AWL Bypass, Execute. Mapped ATT&CK techniques (per LOLBAS / GTFOBins → MITRE crosswalk): T1218. Defenders should monitor execution of Msbuild.exe under non-administrative or sudo contexts and alert when its arguments match the abuse-function signatures.

Abuse functions· 5

AWL BypassT1127.001

Compile and run code

ExecuteT1127.001

Compile and run code

ExecuteT1127.001

Execute DLL

ExecuteT1127.001

Execute project file that contains XslTransformation tag parameters

ExecuteT1036

Bypass command-line based detections

MITRE ATT&CK techniques· 2

T1127.001T1036

Uses2

TypeTargetConfidenceTier
SubTechniqueMSBuildt1127.001100%live
TechniqueMasqueradingt1036100%live

Abuses1

TypeTargetConfidenceTier
TechniqueSystem Binary Proxy Executiont121885%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

LOLbin
Msdeploy.exe
LOLbin
Msconfig.exe
LOLbin
Msiexec.exe
LOLbin
IMEWDBLD.exe
LOLbin
Microsoft.Workflow.Compiler.exe
LOLbin
Mspub.exe
Sourced from LOLBAS Project. Curated by Adam Lundqvist, SQUR.