MSBuild is a trusted Microsoft binary that ships with every Windows installation — and it's a favorite tool for adversaries looking to execute arbitrary code without triggering traditional AV signatures.
During a recent purple team cycle, I developed a comprehensive set of detection signals around MSBuild abuse. This post walks through the attack techniques, the detection gaps I found, and the SIEM rules we built to close them.
The attack surface
MSBuild can execute inline C# tasks from .csproj and .xml files, making it an effective living-off-the-land binary (LOLBin) for defense evasion. The key techniques include:
- Inline task execution via crafted project files
- Remote file fetching and in-memory execution
- Process injection from MSBuild child processes
Detection signals
The detection engineering approach I used focused on three layers: process creation telemetry, file system artifacts, and network behavior anomalies.
More details coming soon — this is a placeholder post to demonstrate the blog structure.