Home/ MITRE Matrix/ Defense Evasion/ T1127.001

T1127.001MSBuild

T1127.001 — MSBuild is a MITRE ATT&CK technique in the Defense Evasion tactic. Clankerusecase tracks 5 detection use cases covering it and 1 threat-intel article citing it.

Defense EvasionExecution

View on the matrix → Filter Detection Library MITRE official spec ↗

5Use cases

1Articles

0Sub-techniques

2Tactics

↑ Parent technique: T1127 · Trusted Developer Utilities Proxy Execution

Use cases covering this technique (5)

MSBuild Suspicious Spawned By Script Process ESCU actions · alerting P Suspicious msbuild path ESCU actions · alerting P Suspicious MSBuild Rename ESCU actions · hunting P Suspicious MSBuild Spawn ESCU actions · alerting P [LLM] Renamed MSBuild.exe executing inline .csproj from user-writable path Bespoke install · alerting DSΣPDDCS

Articles citing this technique (1)

crit PlugX Meeting Invitation via MSBuild and GDATA art-503