January 26

Webinar takeaway – A Master Class on Offensive MSBuild

0  comments

My key takeaways

  • MSBuild is a binary that is installed by default on Windows
    • no whitelisting required
  • .csproj and .xml files are typical to interact with MSBuild
  • Custom tasks are the juicy stuff
  • Malicious code is placed in the execute function of the custom task and compiled into an dll
  • xml will bypass detection a lot more often then compiled code
    • with MSBuild you compile the malicious dll on the target system
    • con: you need 2 files to drop
  • With .NET 4.0 you can use inline tasks as well
    • one file to rule them all
    • no dll needed to compile
    • con: inline malicious code easily to recognize by DFIR
  • With the unregister task you could host malicious dll on a UNC or Webdav path as well
  • XslTransformation tasks can be abused to
    • No ref to CodeTaskFactory which is required for inline tasks
  • GenerateResource task using resgen.exe might not be on the system already
    • input is .resx files > .resources files
    • payload is Base64 encoded inline
  • If admin access you can override pre-built native tasks (like Copy, MakeDir,…) and this way make your malicious code executed for persistence using Copy.overridetasks
  • If .csproj file is the only file in a dir, running MSBuild.exe without any argument, will execute the .csproj file anyway
    • no traces in the logs for the blue team
  • Looking for Microsoft-WebDAV-MiniRedir/{VERSION} as user agent in your network might be an IOC

Env

additional links


Tags

living of the land, payload, red team


You may also like

Webinar takeaway – Offensive Windows Event Logs

Webinar takeaway – Offensive Windows Event Logs

Webinar Takeaway: The Roundup by Wild West Hackin´ Fest: Red Team

Webinar Takeaway: The Roundup by Wild West Hackin´ Fest: Red Team
Leave a Reply

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit markiert.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}