My key takeaways
- MSBuild is a binary that is installed by default on Windows
- no whitelisting required
.csproj
and.xml
files are typical to interact with MSBuild- Custom tasks are the juicy stuff
- Malicious code is placed in the
execute
function of the custom task and compiled into an dll - xml will bypass detection a lot more often then compiled code
- with MSBuild you compile the malicious dll on the target system
- con: you need 2 files to drop
- With .NET 4.0 you can use inline tasks as well
- one file to rule them all
- no dll needed to compile
- con: inline malicious code easily to recognize by DFIR
- With the unregister task you could host malicious dll on a UNC or Webdav path as well
XslTransformation
tasks can be abused to- No ref to CodeTaskFactory which is required for inline tasks
GenerateResource
task usingresgen.exe
might not be on the system already- input is
.resx
files >.resources
files - payload is Base64 encoded inline
- input is
- If admin access you can override pre-built native tasks (like Copy, MakeDir,…) and this way make your malicious code executed for persistence using
Copy.overridetasks
- If
.csproj
file is the only file in a dir, runningMSBuild.exe
without any argument, will execute the.csproj
file anyway- no traces in the logs for the blue team
- Looking for
Microsoft-WebDAV-MiniRedir/{VERSION}
as user agent in your network might be an IOC
Env
-
Provided by Wild West Hackin’ Fest
-
Speaker
additional links
- https://docs.microsoft.com/en-us/visualstudio/msbuild/walkthrough-creating-an-msbuild-project-file-from-scratch?view=vs-2019
- https://docs.microsoft.com/en-us/visualstudio/msbuild/task-writing?view=vs-2019
- https://docs.microsoft.com/en-us/dotnet/api/microsoft.build.framework.itask?view=msbuild-16-netcore
- https://docs.microsoft.com/en-us/dotnet/api/microsoft.build.framework.itask?view=msbuild-16-netcore
- https://docs.microsoft.com/en-us/visualstudio/msbuild/makedir-task?view=vs-2019
- https://www.blackhillsinfosec.com/deploying-a-webdav-server/
- https://docs.microsoft.com/en-us/dotnet/core/extensions/create-resource-files
- https://docs.microsoft.com/en-us/visualstudio/msbuild/generateresource-task?view=vs-2019
- https://www.zerodayinitiative.com/blog/2020/4/28/cve-2020-0932-remote-code-execution-on-microsoft-sharepoint-using-typeconverters
- https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-task-reference?view=vs-2019