Msbuild for Cobalt Strike Beacon Execution Abused by Threat Actors

64
Msbuild for Cobalt Strike Beacon Execution Abused by Threat Actors

Malicious campaigns recently misused Microsoft Build Engine (MSBuild) to execute a Cobalt Strike payload on compromized machines. Designed to build applications on Windows, MSBuild utilizes a project file item called ‘Tasks’ to select components used during project construction, and threat actors are misusing these Tasks to create malicious code mimicking MSBuild.

Last week, SANS Internet Storm Center (ISC) handler and Morphus Labs security researcher Renato Marinho said, two malicious campaigns were seen abusing MSBuild for code execution. Threat actors often gain access to the target environment using a valid remote desktop protocol (RDP) account, use remote Windows Services (SCM) to move laterally, and abuse MSBuild to execute the Cobalt Strike Beacon payload.

Read More: Securityweek

For more such updates follow us on Google News ITsecuritywire News