June 11, 2023

Researchers recently observed several malicious campaigns abusing Microsoft Build Engine (MSBuild) to execute a Cobalt Strike payload on compromised machines.

MSBuild is a free and open-source build toolset for managed code as well as native C++ code and was part of .NET Framework. It is used for building apps and gives users an XML schema that controls how the build platform processes and builds software to deliver malware using callbacks.

The malicious MSBuild project employed in the attacks was designed to compile and execute specific C# code that in turn decodes and executes Cobalt Strike payload.

In the attack scenario described by the researcher, the attackers initially gained access to the target environment using a valid remote desktop protocol (RDP) account, then leveraged remote Windows Services (SCM) for lateral movement, and MSBuild to execute the Cobalt Strike Beacon payload.


The Beacon was used to decrypt the communication with the C2 server, which was SSL encrypted.

One way to decrypt the SSL traffic is to use a man-in-the-middle approach. To this end, I used the project mitmproxy. The communication schema when using a tool like this is to make the client, the Cobalt Strike beacon, talk to the SSL proxy and make the SSL proxy to talk with the C2 server. In the middle (proxy), we will have the traffic unencrypted.

Researchers Note

To analyse the code executed by the malicious MSBuild project, the expert decrypted the variable ‘buff’ that will store the decrypted malicious content. The researcher implemented the same decryption function in Python to decrypt the code and analyse it.

The expert pointed out that using the Windows Defender Application Control (WDAC) policy it is possible to neutralize these attacks by blocking malicious applications that could execute malicious payloads.

Leave a Reply

%d bloggers like this: