Created
February 17, 2026 19:37
-
-
Save justaguywhocodes/20c497bc0d46b827b4d6e3dc7954a011 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| MSB-04: Atypical File — .csproj with Inline Task from Legitimate-Looking | |
| Path | |
| Objective: | |
| Determine whether the detection signal can identify a malicious .csproj containing an inline C# task even | |
| when the file resides in a directory that mimics a normal development workspace (complete with a .sln file). | |
| This tests content-based detection rather than path-based heuristics. MSB-01 through MSB-03 already | |
| validate detection from suspicious locations (C:\Temp). This test flips the scenario — the path looks | |
| legitimate, but the content is malicious. | |
| Steps: | |
| 1. Create a realistic project directory: mkdir C:\Source\MyProject\src | |
| 2. Create a dummy MyProject.sln in C:\Source\MyProject\ (included in test kit) | |
| 3. Copy benign_calc.csproj to C:\Source\MyProject\src\MyProject.csproj | |
| 4. Execute: MSBuild.exe C:\Source\MyProject\src\MyProject.csproj | |
| 5. Confirm calc.exe launches | |
| 6. Record command line and file hash | |
| Expected Telemetry: | |
| • MSBuild executing .csproj from a path that looks like a development directory (C:\Source\...) | |
| • A .sln file exists in the parent directory (mimicking a real workspace) | |
| • Project file contains <UsingTask> with CodeTaskFactory — the malicious indicator is in file content, not | |
| the path | |
| • Child process: calc.exe spawned by MSBuild.exe |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment