The article analyzes how threat actors abuse the Microsoft-signed MSBuild.exe to run inline C# project files and perform fileless operations such as reverse shells, downloading payloads, and DLL sideloading to evade detection. It reviews proof-of-concept and real-world campaigns demonstrating Windows Defender bypasses via automatic project-file execution and recommends behavior-based, multi-layered detection focused on process behavior, project-file execution context, network activity, and DLL load flows. #MSBuild #WindowsDefender
Keypoints
- MSBuild.exe can execute inline C# within .csproj project files, enabling fileless execution and flexible payload configuration without a separate malicious binary.
- A January 2025 proof-of-concept showed MSBuild compiling and running main.cs to load shellcode and establish a TCP reverse shell that bypassed Windows 11 Defender alerts.
- A February 2026 real-world campaign used MSBuild as a downloader in a phishing attack: a signed executable (renamed to appear benign) triggered automatic loading of a .csproj that downloaded additional files and enabled DLL sideloading.
- Threat actors exploit MSBuild’s legitimate signature and automatic project loading to blend with normal activity, making detection by signature or simple file checks ineffective.
- Downloaded payloads were saved to non-obvious locations (e.g., %TEMP%) with randomized filenames and TLS-protected endpoints, complicating manual analysis and network detection.
- Recommended mitigations include behavior-based monitoring for MSBuild in non-development contexts, visibility of .csproj/.xml execution, detection of mass downloads and random filenames, and identification of DLL sideloading patterns and suspicious subprocess creation.
MITRE Techniques
- [T1218] Signed Binary Proxy Execution – Abuse of a signed Microsoft binary (MSBuild.exe) to execute attacker-controlled code via project files (‘MSBuild.exe is a Microsoft-signed Windows native development tool that can build and execute C# code through XML-based project files.’)
- [T1105] Ingress Tool Transfer – Downloading additional files from external servers to the victim machine via inline C# in the project (‘the script is responsible for communicating with the external threat actor’s server to download additional files.’)
- [T1574] Hijack Execution Flow (DLL Side-loading) – Loading a malicious DLL into a legitimate signed executable’s process to execute code (‘the malicious DLL downloaded along with it is loaded into memory at this point, which is how the threat actor finally succeeds in executing the malware.’)
- [T1027] Obfuscated Files or Information – Use of obfuscated payloads or shellcode to evade analysis and detection (‘it is possible to add obfuscated payloads or shellcode to further sophisticate the attack’)
- [T1059] Command and Scripting Interpreter – Creation or invocation of scripting or interpreter subprocesses from MSBuild (e.g., PowerShell) as suspicious process behavior (‘MSBuild.exe creating subprocesses such as PowerShell-cmd.exe, should be categorized as suspicious.’)
- [T1071] Application Layer Protocol – Use of HTTPS endpoints and TLS for communication and payload retrieval (‘Base64 encoded URLs with new endpoints’ and ‘ServicePointManager.SecurityProtocol = (SecurityProtocolType)0xC00;’)
Indicators of Compromise
- [MD5] Reported file hashes – 769687f93869a70511aac1ef7c752455, 7a75e713db41c28378e823322fdea0fd
- [URL] Download/C2 endpoints used by the campaign – https://onedown.gesecole.net/download/a3693kfa836, https://onedown.gesecole.net/download/a3696kfa836, and 1 more
- [Domain] Hosting domain for payloads – onedown.gesecole.net (used for download endpoints)
- [File names] Filenames observed in attack flow and payloads – main.csproj, Avk.dll (and other files such as main.cs, AVKTray.dat, and randomized .exe names in %TEMP%)
Read more: https://asec.ahnlab.com/en/93290/