MSBuild is Microsoft’s build engine for compiling and packaging .NET and Windows projects. It reads project files and runs build steps, which makes it useful for development and automation. In normal environments, it is a trusted administrative tool.
In cyber security, MSBuild matters because that trust can be abused. Attackers can hide commands or code inside project files and use MSBuild to execute them without dropping an obvious custom malware binary. This makes it a living-off-the-land technique: the activity comes from a legitimate Microsoft utility, so it may blend into routine developer or administrator workflows. Defenders should monitor unusual parent processes, suspicious command lines, and MSBuild activity on systems where building software is not expected. Baselines are important, because MSBuild is not inherently malicious; the risk is the context, the project content, and what it tries to launch next.



