A Tale of an MSBuild In-Line Task

I analyzed a suspicious file found during an Incident Response (IR) that turned out to be an in-line MSBuild task. The file had a byte array with an extremely long sequence of bytes. My first thought was that it was a binary of some sort. I extracted the bytes and wrote a few lines of C Sharp to convert it back to a binary.

The image above is a screenshot of a portion of the MSBuild task file. The byte sequence spanned thousands of lines. If you look at the byte[] buf variable assignment, the byte sequence 0x4d 0x5a represents the Magic Number for the Microsoft Portable Executable (PE) format.

The following code will convert it back to a binary for better analysis:

There are several ways to convert the byte sequence back to a binary. I chose the method above. I then copied the extracted byte sequence from the MSBuild task file into the buf variable above. However, I truncated the bytes in this post for brevity.

Using a clean Windows 10 VM with FLARE (FireEye Labs Advanced Reverse Engineering), you can perform static and dynamic analysis on the binary.

Note the Dynamic Linked Library (DLL) flag next to Characteristics in the Ollydbg PE header dump. The flag is supporting evidence that this is, in fact, a DLL.

When I used the Sysinternals strings command on the binary created from the shellcode, I saw many Microsoft API calls and various other notable strings (beacon.dll) that increase confidence that this particular indicator of compromise (IOC) is potentially an artifact created by Cobalt Strike.

(excerpt of strings output)

RaiseException
DebugBreak
GetModuleFileNameW
VirtualQuery
beacon.dll (Cobalt Strike exported beacon name // This is the default)
_ReflectiveLoader@4 (Indication that shellcode leverages reflective DLL injection)

(excerpt of strings output)

If you run into a similar situation, hopefully, this helps jump-start your analysis. Thanks for reading.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: