MSBuild.exe: The Stealthy Weapon in Fileless Attacks
Why Attackers Prioritize MSBuild
MSBuild offers attackers three critical advantages:
- Fileless Execution: Malicious C# code is embedded directly in XML project files (.csproj), eliminating the need for standalone executables and bypassing file-based security controls.
- Full System Access: Provides capabilities for file manipulation, network communication, and binary compilation—allowing flexible deployment of multi-stage attacks.
- Trusted Execution Chain: Microsoft’s digital signature automatically whitelists its activity in most endpoint solutions, rendering signature-based detection ineffective.
Real-World Abuse Cases
Early 2025 research by Michał Walkowski demonstrated MSBuild’s ability to bypass Windows Defender on Windows 11 using just two files: a C# source (main.cs) and project configuration (main.csproj). This technique compiles and executes reverse shell code entirely in memory, triggering no alerts despite real-time protection being active.

In February 2026, Lab52 uncovered a phishing campaign abusing MSBuild.exe to deliver PlugX malware. Attackers sent ZIP attachments disguised as meeting invitations containing a renamed MSBuild binary and malicious project file. Upon execution, MSBuild downloaded encoded payloads from attacker servers and used DLL sideloading to covertly activate PlugX via legitimate processes.

Effective Defensive Strategies
Defending against MSBuild-based attacks requires contextual monitoring that transcends static controls:
- Alert on MSBuild.exe execution outside development directories or software installation folders.
- Correlate process chains where MSBuild spawns non-standard children (e.g., PowerShell, cmd.exe).
- Monitor .csproj/.xml file launches in temporary directories or user download folders.
- Analyze suspicious outbound connections initiated by MSBuild or DLL sideloading activity.
MSBuild exemplifies the evolution of LOLBin exploitation, offering attackers stealth and operational versatility without leaving traditional malware footprints. Its successful deployment underscores a critical paradigm shift for defenders: contextual analysis of process relationships and behavioral patterns must now outweigh reliance on signature validation. As LOLBin techniques proliferate, proactive threat hunting and policy enforcement remain indispensable for securing Windows environments against fileless threats.