Try it using Invoke-Atomic

Trusted Developer Utilities Proxy Execution: MSBuild

Description from ATT&CK

Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild)

Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file.(Citation: MSDN MSBuild)(Citation: Microsoft MSBuild Inline Tasks 2017) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)

Atomic Tests

Atomic Test #1 - MSBuild Bypass Using Inline Tasks

Executes the code in a project file using. C# Example

Supported Platforms: windows

auto_generated_guid: 58742c0f-cb01-44cd-a60b-fb26e8871c93


Name Description Type Default Value
filename Location of the project file Path PathToAtomicsFolder\T1127.001\src\T1127.001.csproj

Attack Commands: Run with command_prompt!

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe #{filename}

Dependencies: Run with powershell!

Description: Project file must exist on disk at specified location (#{filename})

Check Prereq Commands:

if (Test-Path #{filename}) {exit 0} else {exit 1}

Get Prereq Commands:

New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "" -OutFile "#{filename}"