During an internal penetration test, EDR telemetry shows the binary C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe launching a temporary file named SalesReport.csproj from the tester's %TEMP% directory. Moments later, an outbound HTTPS connection to the test team's command-and-control server is recorded, but no new executables are written to disk. Which living-off-the-land technique most likely enabled the payload to run unnoticed?
Invoking regsvr32.exe with a /i switch to run a malicious scriptlet hosted on a remote URL.
Calling rundll32.exe to invoke an exported function from a rogue DLL placed in %TEMP%.
Using certutil.exe to download and base64-decode a remote payload before execution.
Abusing msbuild.exe to compile and execute malicious code contained inside a crafted project file.
MSBuild can compile and immediately execute code that is embedded in specially crafted project files (such as .csproj or .proj). Because msbuild.exe is a trusted Windows binary, running malicious code through it helps evade application-whitelisting and many signature-based defenses. The other options describe different LOLBins, but none involve compiling a project file.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a 'living-off-the-land binary' (LOLBin)?
Open an interactive chat with Bash
How does msbuild.exe execute malicious code from a .csproj file?
Open an interactive chat with Bash
What techniques can be used to detect and mitigate abuse of LOLBins like msbuild.exe?