nerdexam
ExamsGCIHQuestions#815
GIAC

GCIH · Question #815

GCIH Question #815: Real Exam Question with Answer & Explanation

The correct answer is B: Translate attack code into C#. MSBuild.exe executes inline C# code from project files, so an attacker must first encode their shellcode as a C# wrapper before invoking it as a living-off-the-land binary.

Vulnerability Exploitation & Privilege Escalation

Question

Which step would an attacker likely take before using MSBuild.exe?

Options

  • AInstall MSBuild.exe to %SYSTEMROOT%
  • BTranslate attack code into C#
  • CMake changes to Windows Firewall

Explanation

MSBuild.exe executes inline C# code from project files, so an attacker must first encode their shellcode as a C# wrapper before invoking it as a living-off-the-land binary.

Common mistakes.

  • A. MSBuild.exe is included natively with the .NET Framework and is already present on Windows systems, so no installation step is required before it can be abused as a LOLBin.
  • C. MSBuild is a local code compilation tool and does not require outbound network access to function as a LOLBin, making firewall modifications unnecessary for this attack technique.

Concept tested. Living-off-the-land MSBuild.exe shellcode execution

Reference. https://attack.mitre.org/techniques/T1127/001/

Topics

#MSBuild#LOLBins#C# payload#attack chain preparation

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full GCIH Practice
Which step would an attacker likely take before using MSBuild.exe? | GCIH Q#815 Answer | NerdExam