HomeNewsCobalt Strike Beacon executed using MSBuild

Cobalt Strike Beacon executed using MSBuild

-

Last Updated on 04/01/2022 by Sanskriti

Two independent malicious operations using MSBuild to launch the Cobalt Strike payload on targeted PCs were detected by a researcher from Morphus Labs.

The attackers utilize an RDP account to obtain access to the target environment, then use distant Windows Services and MSBuild to launch the Cobalt Strike Beacon payload.

The Beacon is used to decode SSL-encrypted communications between the C2 server and the client.

The researchers used the same decryption function to decode the code run by the MSBuild project and encrypted variable buff, which stores the decrypted malicious material.

The new malicious effort is not the first to exploit MSBuild; the toolset has already been exploited by a variety of attackers.

MSBuild was utilized to execute a file filled with Metasploit payload in one atypical implementation of Hades’ incursion in June.

In May, attackers were detected utilizing MSBuild to propagate information-stealing malware and remote access tools (RATs).

For their purposes, attackers continue to use open-source and authorized technologies. The researchers claim that the Windows Defender Application Control (WDAC) policy, which bans programs from executing malicious payloads, can thwart these types of assaults.Marinho concludes, “There is a note for MSBuild.exe, though, that if the system is used in a development context to build managed applications, the recommendation is to allow MSBuild.exe in the code integrity policies,”

Sanskriti
Sanskriti
Sanskriti loves technology in general and ensures to keep TheDigitalHacker audience aware of the latest trends, updates, and data breaches.
- Advertisment -

Must Read

DirectTV streaming network will sell your data even if you don’t...

0
DirectTV is a streaming network that delivers streaming content as a service. The content is generally live sports and 14.6M+ people subscribe to their...