CAR-2020-11-008: MSBuild and msxsl

Trusted developer utilities such as MSBuild may be leveraged to run malicious code with elevated privileges. This analytic looks for any instances of msbuild.exe, which will execute any C# code placed within a given XML document; and msxsl.exe, which processes xsl transformation specifications for XML files and will execute a variaty of scripting languages contained within the XSL file. Both of these executables are rarely used outside of Visual Studio.

ATT&CK Detections

Technique	Subtechnique(s)	Tactic(s)	Level of Coverage
Trusted Developer Utilities Proxy Execution	MSBuild	Defense Evasion	High

D3FEND Techniques

ID	Name
D3-PSA	Process Spawn Analysis

Data Model References

Object	Action	Field
process	create	exe
process	create	image_path

Implementations

Pseudocode - msbuild (Pseudocode, CAR native)

This is a pseudocode representation of the below splunk search.

processes = search Process:Create
target_processes = filter processes where (
  (exe="C:\Program Files (x86)\Microsoft Visual Studio\*\bin\MSBuild.exe" OR exe="C:\Windows\Microsoft.NET\Framework*\msbuild.exe" OR exe="C:\users\*\appdata\roaming\microsoft\msxsl.exe") AND
  image_path!="*Microsoft Visual Studio*")
output target_processes

Splunk Search - msbuild (Splunk, Sysmon native)

Looks for all instances of msbuild.exe or msxsl.exe

(index=__your_sysmon_index__ EventCode=1) (Image="C:\\Program Files (x86)\\Microsoft Visual Studio\\*\\bin\\MSBuild.exe" OR Image="C:\\Windows\\Microsoft.NET\\Framework*\\msbuild.exe" OR Image="C:\\users\\*\\appdata\\roaming\\microsoft\\msxsl.exe") ParentImage!="*\\Microsoft Visual Studio*")

LogPoint Search - msbuild (Logpoint, LogPoint native)

Looks for all instances of msbuild.exe or msxsl.exe

norm_id=WindowsSysmon event_id=1 (image IN ["C:\Program Files (x86)\Microsoft Visual Studio\*\bin\MSBuild.exe", "C:\Windows\Microsoft.NET\Framework*\msbuild.exe", "C:\Users\*\appdata\roaming\microsoft\msxsl.exe") -parent_image="*\Microsoft Visual Studio*")