216.73.217.22

T1127.001: MSBuild

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID
T1127.001
Confidence
100/100
Revoked
No
Published
16/12/2025 19:38
Modified
27/03/2026 01:11
Author / Source
The MITRE Corporation

Aliases

T1127.001

Platforms

windows

Description

Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild) Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file.(Citation: MSDN MSBuild)(Citation: Microsoft MSBuild Inline Tasks 2017) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)

Kill chain phases

Kill chainPhase
mitre-attack defense-evasion

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (5)

  • MirrorFace uses
    AlienVault Confidence 100

    [MirrorFace](https://attack.mitre.org/groups/G1054) is a People's Republic of China (PRC)-aligned cyberespionage actor believed to be a subgroup under the [menuPass](https://attack.mitre.org/groups/G0045) umbrella based on targeting, tools, and infrastructure overlaps. [MirrorFace](https://attack.mitre.org/groups/G1054) has …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 04:36 · Modified 04/05/2026 16:33
  • PHALT#BLYX uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 09/01/2026 11:36 · Modified 09/01/2026 11:36
  • Doppelgänger uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 02:53 · Modified 21/12/2025 02:53
  • Unknown uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 03:42 · Modified 21/12/2025 03:42
  • Turla uses IRON HUNTERGroup 88
    The MITRE Corporation Confidence 100

    [Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33

Malware (18)

  • d3f@ckloader uses
    Family
    Published 31/03/2025 05:40 · Modified 31/03/2025 05:40
  • Hijackloader uses
    Family
    Published 10/06/2026 11:58 · Modified 10/06/2026 11:58
  • Korplug uses
    The MITRE Corporation Confidence 100

    [PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation: …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 31/05/2017 23:32 · Modified 08/06/2026 10:23
  • HiddenFace uses
    Family
    Published 18/03/2025 20:59 · Modified 18/03/2025 20:59
  • Uroburos - S0022 uses
    Family
    Published 08/07/2024 10:45 · Modified 08/07/2024 10:45
  • Brute Ratel uses
    Family
    Published 27/05/2025 10:35 · Modified 27/05/2025 10:35
  • Trojan:Win32/Amadey uses
    Family
    Published 20/06/2024 12:18 · Modified 20/06/2024 12:18
  • NOOPLDR uses
    Family
    Published 07/10/2024 19:59 · Modified 07/10/2024 19:59
  • Trojan:Win32/VidarStealer uses
    Family
    Published 20/06/2024 12:18 · Modified 20/06/2024 12:18
  • Uroburos
  • BlackSuit uses
    Family
    Published 07/08/2025 18:57 · Modified 07/08/2025 18:57
  • LODEINFO uses
    Family
    Published 19/11/2024 09:19 · Modified 19/11/2024 09:19
  • Cobalt Strike - S0154 uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:39 · Modified 27/05/2026 21:40
  • AsyncRAT uses
    Family
    Published 11/06/2026 16:31 · Modified 11/06/2026 16:31
  • SectopRAT uses
    Family
    Published 26/05/2026 15:20 · Modified 26/05/2026 15:20
  • QDoor uses
    Family
    Published 31/03/2025 05:40 · Modified 31/03/2025 05:40
  • DcRAT uses
    Family
    Published 01/03/2026 05:26 · Modified 01/03/2026 05:26
  • NOOPDOOR uses
    Family
    Published 27/11/2024 18:31 · Modified 27/11/2024 18:31

Reports (5)

Vulnerabilities (CVE) (1)

CVE-2022-1388 KEV

F5 BIG-IP contains a missing authentication in critical function vulnerability which can allow for remote code execution, creation or deletion of files, …

Published
10/05/2022
Modified
20/12/2025

Attack patterns (MITRE) (1)

  • T1127 subtechnique-of
    Trusted Developer Utilities Proxy Execution

Campaign (2)

  • Operation AkaiRyū uses
  • Frankenstein uses

Tool (1)

  • Empire uses
    The MITRE Corporation Confidence 100

    [Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents …

    Published 11/03/2019 15:13 · Modified 27/03/2026 01:07

Course Of Action (2)

  • Execution Prevention mitigates
  • Disable or Remove Feature or Program mitigates