January 26

Webinar takeaway – A Master Class on Offensive MSBuild

Security

0  comments

My key takeaways

  • MSBuild is a binary that is installed by default on Windows
    • no whitelisting required
  • .csproj and .xml files are typical to interact with MSBuild
  • Custom tasks are the juicy stuff
  • Malicious code is placed in the execute function of the custom task and compiled into an dll
  • xml will bypass detection a lot more often then compiled code
    • with MSBuild you compile the malicious dll on the target system
    • con: you need 2 files to drop
  • With .NET 4.0 you can use inline tasks as well
    • one file to rule them all
    • no dll needed to compile
    • con: inline malicious code easily to recognize by DFIR
  • With the unregister task you could host malicious dll on a UNC or Webdav path as well
  • XslTransformation tasks can be abused to
    • No ref to CodeTaskFactory which is required for inline tasks
  • GenerateResource task using resgen.exe might not be on the system already
    • input is .resx files > .resources files
    • payload is Base64 encoded inline
  • If admin access you can override pre-built native tasks (like Copy, MakeDir,...) and this way make your malicious code executed for persistence using Copy.overridetasks
  • If .csproj file is the only file in a dir, running MSBuild.exe without any argument, will execute the .csproj file anyway
    • no traces in the logs for the blue team
  • Looking for Microsoft-WebDAV-MiniRedir/{VERSION} as user agent in your network might be an IOC

Env

additional links

Tags

living of the land, payload, red teaming

You may also like

Webinar takeaway – Offensive Windows Event Logs

My key takeaways there is a POC proving persistence by writing/reading shellcode from Event Log the real issue is execution as it’s a blind spot for most EDR also Defender Event logs in win are in the registry Bindings of sources to specific log local admins can create a log/source and event log entries via

Read More

Webinar Takeaway: The Roundup by Wild West Hackin´ Fest: Red Team

My key takeaways Red is a component of blue Blue can exist without red Red cannot exist without blue red w/o blue = criminal Security Operations Design is often built on existing environment, rarely built from scratch Threat definition: Risk = threat * vulnerability alt: Threat = ThreatActor + Intent + Tool/Technique Good intentions by

Read More
Leave a Comment