Esc
MSBuild - T1127.001

(ATT&CK® Technique)
Definition

Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1127001["MSBuild"] --> |modifies| CompilerConfigurationFile["Compiler Configuration File"]; class T1127001 OffensiveTechniqueNode;
        class CompilerConfigurationFile ArtifactNode; click CompilerConfigurationFile href "/dao/artifact/d3f:CompilerConfigurationFile";
        click T1127001 href "/offensive-technique/attack/T1127.001/"; click CompilerConfigurationFile href "/dao/artifact/d3f:CompilerConfigurationFile"; T1127001["MSBuild"] --> |runs| Compiler["Compiler"]; class T1127001 OffensiveTechniqueNode;
        class Compiler ArtifactNode; click Compiler href "/dao/artifact/d3f:Compiler";
        click T1127001 href "/offensive-technique/attack/T1127.001/"; click Compiler href "/dao/artifact/d3f:Compiler";                          FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | CompilerConfigurationFile["Compiler Configuration File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1127001["MSBuild"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class CompilerConfigurationFile ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
          | deletes | CompilerConfigurationFile["Compiler Configuration File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1127001["MSBuild"] ;
          class FileEviction DefensiveTechniqueNode;
          class CompilerConfigurationFile ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction";                           FileEncryption["File Encryption"] -->
          | encrypts | CompilerConfigurationFile["Compiler Configuration File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1127001["MSBuild"] ;
          class FileEncryption DefensiveTechniqueNode;
          class CompilerConfigurationFile ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption";              SoftwareUpdate["Software Update"] -->
          | updates | Compiler["Compiler"];

          SoftwareUpdate["Software Update"] -.->
            | may-harden | T1127001["MSBuild"] ;
          class SoftwareUpdate DefensiveTechniqueNode;
          class Compiler ArtifactNode;
          click SoftwareUpdate href "/technique/d3f:SoftwareUpdate"; DecoyFile["Decoy File"] -->
          | spoofs | CompilerConfigurationFile["Compiler Configuration File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1127001["MSBuild"] ;
          class DecoyFile DefensiveTechniqueNode;
          class CompilerConfigurationFile ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile";                                               LocalFilePermissions["Local File Permissions"] -->
          | restricts | CompilerConfigurationFile["Compiler Configuration File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1127001["MSBuild"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class CompilerConfigurationFile ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";            RestoreFile["Restore File"] -->
          | restores | CompilerConfigurationFile["Compiler Configuration File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1127001["MSBuild"] ;
          class RestoreFile DefensiveTechniqueNode;
          class CompilerConfigurationFile ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile"; RestoreSoftware["Restore Software"] -->
          | restores | Compiler["Compiler"];

          RestoreSoftware["Restore Software"] -.->
            | may-restore | T1127001["MSBuild"] ;
          class RestoreSoftware DefensiveTechniqueNode;
          class Compiler ArtifactNode;
          click RestoreSoftware href "/technique/d3f:RestoreSoftware"; FileAnalysis["File Analysis"] -->
          | analyzes | CompilerConfigurationFile["Compiler Configuration File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1127001["MSBuild"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class CompilerConfigurationFile ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis";                                                  RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | CompilerConfigurationFile["Compiler Configuration File"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1127001["MSBuild"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class CompilerConfigurationFile ArtifactNode;
          click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";
json