Webinar takeaway - A Master Class on Offensive MSBuild

My key takeaways

MSBuild is a binary that is installed by default on Windows
- no whitelisting required
.csproj and .xml files are typical to interact with MSBuild
Custom tasks are the juicy stuff
Malicious code is placed in the execute function of the custom task and compiled into an dll
xml will bypass detection a lot more often then compiled code
- with MSBuild you compile the malicious dll on the target system
- con: you need 2 files to drop
With .NET 4.0 you can use inline tasks as well
- one file to rule them all
- no dll needed to compile
- con: inline malicious code easily to recognize by DFIR
With the unregister task you could host malicious dll on a UNC or Webdav path as well
XslTransformation tasks can be abused to
- No ref to CodeTaskFactory which is required for inline tasks
GenerateResource task using resgen.exe might not be on the system already
- input is .resx files > .resources files
- payload is Base64 encoded inline
If admin access you can override pre-built native tasks (like Copy, MakeDir,…) and this way make your malicious code executed for persistence using Copy.overridetasks
If .csproj file is the only file in a dir, running MSBuild.exe without any argument, will execute the .csproj file anyway
- no traces in the logs for the blue team
Looking for Microsoft-WebDAV-MiniRedir/{VERSION} as user agent in your network might be an IOC