Windows/TestHarnesses/T1127.001_MSBuild/InvokeMSBuild.ps1

function Invoke-ATHMSBuild {
<#
.SYNOPSIS
 
MSBuild execution harness for the purposes of validating detection coverage.
 
Technique ID: T1127.001 (Trusted Developer Utilities Proxy Execution: MSBuild)
 
.DESCRIPTION
 
Invoke-ATHMSBuild automates the execution of .NET code using MSBuild for the purposes of validating detection coverage.
 
.PARAMETER ProjectFilePath
 
Specifies the full path of the MSBuild project file that is written to disk. If not specified, "test.proj" will be written to the current directory. With the exception of supplying -NoCLIProjectFile, the project file can have any file extension or no extension.
 
.PARAMETER MSBuildFilePath
 
Specifies an alternate path to MSBuild. MSBuild can execute from any directory with any filename and extension. If not specified, the default MSBuild path is used based on the .NET framework runtime used by the running PowerShell process.
 
.PARAMETER Language
 
Specifies the language of the embedded .NET code in the MSbuild project file. By default, MSbuild supports inline C#, VB.Net, and JScript.NET. The following language specifiations are supported in the project XML:
 
* cs, c#, csharp (All of which imply C# code)
* vb, vbs, visualbasic, vbscript (All of which imply VB.Net code)
* js, jscript, javascript (All of which imply JScript.Net code)
 
.PARAMETER NoCLIProjectFile
 
Specifies that MSbuild should execute without supplying a project file at the command line. If no project file is supplied at the command line, MSBuild will execute the first project file that ends with "proj" in the current directory. -NoCLIProjectFile will only work if there are no previous *proj files in the current directory so ensure that the current directory does not contain any *proj files prior to supplying the -NoCLIProjectFile switch.
 
.PARAMETER TargetName
 
Specifies the target name in the MSbuild project file. This can be any value. If not specified, "TestTarget" is used as the default.
 
.PARAMETER TaskName
 
Specifies the task name in the MSbuild project file. This can be any value. If not specified, "TestTask" is used as the default.
 
.PARAMETER UsePropertyFunctions
 
As an alternative to supplying inline .NET code that is compiled and executed, MSBuild Property Functions allow a developer to supply XML parameters consisting of embedded .NET code that is interpreted and executed on the fly without compilation. Specifying -UsePropertyFunctions will prompt Invoke-ATHMSBuild to use Property Functions as an alternative to embedded .NET source code.
 
.PARAMETER PropertyName
 
Specifies the XML property name to use in the MSbuild project file. This can be any value. If not specified, "TestProperty" is used as the default.
 
.PARAMETER UseCustomTaskFactory
 
Specifies that a custom task factory assembly will be dropped and used to execute code rather than embedding executable code within the project file.
 
.PARAMETER TaskFactoryName
 
Specifies the task factory name in the MSbuild project file. This can be any value. If not specified, "TestTaskFactory" is used as the default.
 
.PARAMETER UseCustomLogger
 
Specifies that a custom logger assembly will be dropped and used to execute code rather than embedding executable code within the project file.
 
.PARAMETER UseUnregisterAssemblyTask
 
Specifies that an assembly that implements a custom assembly registration method will be dropped and used to execute code rather than embedding executable code within the project file.
 
.PARAMETER CustomEngineDllPath
 
Specifies the full path of the MSBuild custom engine/logger assembly that is written to disk. If not specified, "CustomEngine.dll" will be written to the current directory.
 
.PARAMETER ProjectFileContent
 
Specifies custom MSbuild project XML content. Supplying custom content overrides default behavior where a template project is generated dynamically.
 
.PARAMETER TestGuid
 
Optionally, specify a test GUID value to use to override the generated test GUID behavior.
 
.OUTPUTS
 
PSObject
 
Outputs an object consisting of relevant execution details. The following object properties may be populated:
 
* TechniqueID - Specifies the relevant MITRE ATT&CK Technique ID.
* TestSuccess - Will be set to True if it was determined that the MSBuild project contents successfully executed. This will not be set to True if -ProjectFileContent was supplied.
* TestGuid - Specifies the test GUID that was used for the test. This property will not be populated when -ProjectFileContent is specified.
* ExecutionType - Indicates how the MSBuild project file was executed: InlineSourceCode, PropertyFunctions, CustomLogger, CustomTaskFactory, CustomUnregisterFunction, CustomProjectFileContent
* ProjectFilePath - Specifies the full path of the MSBuild project file that was written to disk.
* ProjectFileHashSHA256 - Specifies the SHA256 hash of the MSBuild project file that was written to disk.
* ProjectContents - Specifies the contents of the MSBuild project file that was written to disk.
* CustomEnginePath - If -UseCustomTaskFactory or -UseCustomLogger is supplied, this specifies the full path of the custom task factory or logger assembly DLL that was written to disk. Otherwise, this property is empty.
* CustomEngineHashSHA256 - If -UseCustomTaskFactory or -UseCustomLogger is supplied, this specifies the SHA256 of the custom task factory or logger assembly DLL that was written to disk. Otherwise, this property is empty.
* RunnerFilePath - Specifies the full path of MSBuild runner.
* RunnerProcessId - Specifies the process ID of MSBuild runner.
* RunnerCommandLine - Specifies the commandline of MSBuild runner.
* RunnerChildProcessId - Specifies the process ID of process that was executed as the result of the MSBuild project content executing. This property will not be populated if user-supplied project content is supplied via -ProjectFileContent.
* RunnerChildProcessCommandLine - Specifies the commandline of process that was executed as the result of the HTA content executing. This property will not be populated if user-supplied project content is supplied via -ProjectFileContent.
 
.EXAMPLE
 
Invoke-ATHMSBuild
 
.EXAMPLE
 
Invoke-ATHMSBuild -ProjectFilePath test.txt
 
Drops and executes the MSBuild project file from the specified path/filename.
 
.EXAMPLE
 
Invoke-ATHMSBuild -NoCLIProjectFile
 
Drops a .proj file to the current directory and executes it without supplying any command-line arguments to MSBuild.
 
.EXAMPLE
 
Copy-Item -Path C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe -Destination foo.txt
Invoke-ATHMSBuild -MSBuildFilePath foo.txt
 
Copies MSBuild to a local directory, rename it, and execute .NET code with it.
 
.EXAMPLE
 
Invoke-ATHMSBuild -Language javascript
 
Specifies JScript.NET as an alternative .NET language with which to compile and execute.
 
.EXAMPLE
 
Invoke-ATHMSBuild -TargetName Foo -TaskName Bar
 
Populating the generated project file XML with non-default target and task names.
 
.EXAMPLE
 
Invoke-ATHMSBuild -UsePropertyFunctions
 
Using property functions as an alternative to compiling and executing inline .NET code.
 
.EXAMPLE
 
Invoke-ATHMSBuild -UseCustomTaskFactory
 
Proxying custom execution through a custom task factory assembly as an alternative to compiling and executing inline .NET code.
 
.EXAMPLE
 
Invoke-ATHMSBuild -UseCustomLogger
 
Proxying custom execution through a custom logger assembly as an alternative to compiling and executing inline .NET code.
 
.EXAMPLE
 
Invoke-ATHMSBuild -UseUnregisterAssemblyTask
 
Proxying custom execution through a custom assembly unregistration function as an alternative to compiling and executing inline .NET code.
 
.EXAMPLE
 
$CustomProjectContent = @'
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <Target Name="TestTarget">
    <TestTask />
  </Target>
  <UsingTask TaskName="TestTask" TaskFactory="CodeTaskFactory" AssemblyFile="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
    <Task>
      <Code Language="cs">
        <![CDATA[
        System.Diagnostics.ProcessStartInfo startInfo = new System.Diagnostics.ProcessStartInfo("powershell.exe", "-nop -Command Write-Host Foo; Start-Sleep -Seconds 2; exit");
        startInfo.UseShellExecute = false;
        startInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden;
        System.Diagnostics.Process.Start(startInfo);
        ]]>
      </Code>
    </Task>
  </UsingTask>
</Project>
'@
 
Invoke-ATHMSBuild -ProjectFileContent $CustomProjectContent
 
Executes custom MSBuild project content rather than using a generated template project file.
#>


    [CmdletBinding(DefaultParameterSetName = 'InlineSourceCode')]
    param (
        [Parameter(Mandatory, ParameterSetName = 'CustomProjectFileContents')]
        [String]
        [ValidateNotNullOrEmpty()]
        $ProjectFileContent,

        [Parameter(ParameterSetName = 'InlineSourceCode')]
        [Parameter(ParameterSetName = 'CustomTaskFactory')]
        [Parameter(ParameterSetName = 'CustomLogger')]
        [Parameter(ParameterSetName = 'CustomUnregisterFunction')]
        [Parameter(ParameterSetName = 'PropertyFunctions')]
        [Parameter(ParameterSetName = 'CustomProjectFileContents')]
        [String]
        [ValidateNotNullOrEmpty()]
        $ProjectFilePath = 'test.proj',

        [Parameter(ParameterSetName = 'InlineSourceCode')]
        [Parameter(ParameterSetName = 'CustomTaskFactory')]
        [Parameter(ParameterSetName = 'CustomLogger')]
        [Parameter(ParameterSetName = 'CustomUnregisterFunction')]
        [Parameter(ParameterSetName = 'PropertyFunctions')]
        [Parameter(ParameterSetName = 'CustomProjectFileContents')]
        [Switch]
        $NoCLIProjectFile,

        [Parameter(ParameterSetName = 'InlineSourceCode')]
        [Parameter(ParameterSetName = 'CustomTaskFactory')]
        [Parameter(ParameterSetName = 'CustomLogger')]
        [Parameter(ParameterSetName = 'CustomUnregisterFunction')]
        [Parameter(ParameterSetName = 'PropertyFunctions')]
        [Parameter(ParameterSetName = 'CustomProjectFileContents')]
        [String]
        [ValidateNotNullOrEmpty()]
        $MSBuildFilePath = "$([Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())MSBuild.exe",

        [Parameter(ParameterSetName = 'InlineSourceCode')]
        [String]
        [ValidateSet('cs', 'c#', 'csharp', 'vb', 'vbs', 'visualbasic', 'vbscript', 'js', 'jscript', 'javascript')]
        $Language = 'cs',

        [Parameter(Mandatory, ParameterSetName = 'PropertyFunctions')]
        [Switch]
        $UsePropertyFunctions,

        [Parameter(ParameterSetName = 'PropertyFunctions')]
        [String]
        [ValidateNotNullOrEmpty()]
        $PropertyName = 'TestProperty',

        [Parameter(ParameterSetName = 'InlineSourceCode')]
        [Parameter(ParameterSetName = 'CustomTaskFactory')]
        [Parameter(ParameterSetName = 'CustomLogger')]
        [Parameter(ParameterSetName = 'CustomUnregisterFunction')]
        [Parameter(ParameterSetName = 'PropertyFunctions')]
        [String]
        [ValidateNotNullOrEmpty()]
        $TargetName = 'TestTarget',

        [Parameter(ParameterSetName = 'InlineSourceCode')]
        [Parameter(ParameterSetName = 'CustomTaskFactory')]
        [Parameter(ParameterSetName = 'CustomLogger')]
        [Parameter(ParameterSetName = 'PropertyFunctions')]
        [String]
        [ValidateNotNullOrEmpty()]
        $TaskName = 'TestTask',

        [Parameter(ParameterSetName = 'CustomTaskFactory')]
        [String]
        [ValidateNotNullOrEmpty()]
        $TaskFactoryName = 'TestTaskFactory',

        [Parameter(Mandatory, ParameterSetName = 'CustomTaskFactory')]
        [Switch]
        $UseCustomTaskFactory,

        [Parameter(Mandatory, ParameterSetName = 'CustomLogger')]
        [Switch]
        $UseCustomLogger,

        [Parameter(Mandatory, ParameterSetName = 'CustomUnregisterFunction')]
        [Switch]
        $UseUnregisterAssemblyTask,

        [Parameter(ParameterSetName = 'CustomTaskFactory')]
        [Parameter(ParameterSetName = 'CustomLogger')]
        [Parameter(ParameterSetName = 'CustomUnregisterFunction')]
        [String]
        [ValidateNotNullOrEmpty()]
        $CustomEngineDllPath = 'CustomEngine.dll',

        [Parameter(ParameterSetName = 'InlineSourceCode')]
        [Parameter(ParameterSetName = 'CustomTaskFactory')]
        [Parameter(ParameterSetName = 'CustomLogger')]
        [Parameter(ParameterSetName = 'CustomUnregisterFunction')]
        [Parameter(ParameterSetName = 'PropertyFunctions')]
        [Parameter(ParameterSetName = 'CustomProjectFileContents')]
        [Guid]
        $TestGuid = (New-Guid)
    )

    $CustomEngineDllHash    = $null
    $MSBuildCommandLine     = $null
    $MSBuildTaskExecuted    = $null
    $MSBuildProcessId       = $null
    $ProcessWMICommandLine  = $null
    $ParentProcessPath      = $null
    $SpawnedProcCommandLine = $null
    $SpawnedProcProcessId   = $null
    $ExecutionType          = $null
    $TestGuidToUse          = $TestGuid

    $MSBuildFullPath = Resolve-Path -Path $MSBuildFilePath -ErrorAction Stop

    # Validate that the MSBuild supplied is actually MSBuild.
    $MSBuildFileInfo = Get-Item -Path $MSBuildFullPath -ErrorAction Stop

    if ($MSBuildFileInfo.VersionInfo.OriginalFilename -ne 'MSBuild.exe') {
        Write-Error "The MSBuild executable supplied is not MSBuild.exe: $MSBuildFullPath"

        return
    }

    $ParentDir = Split-Path -Path $ProjectFilePath -Parent
    $FileName = Split-Path -Path $ProjectFilePath -Leaf

    if (($ParentDir -eq '') -or ($ParentDir -eq '.')) {
        $ParentDir = $PWD.Path
    }

    if (!(Test-Path -Path $ParentDir -PathType Container)) {
        Write-Error "The following directory does not exist: $ParentDir"
        return
    }

    $FullProjectPath = Join-Path -Path $ParentDir -ChildPath $FileName

    $ParentEngineDir = Split-Path -Path $CustomEngineDllPath -Parent
    $EngineFileName = Split-Path -Path $CustomEngineDllPath -Leaf

    if (($ParentEngineDir -eq '') -or ($ParentEngineDir -eq '.')) {
        $ParentEngineDir = $PWD.Path
    }

    if (!(Test-Path -Path $ParentEngineDir -PathType Container)) {
        Write-Error "The following directory does not exist: $ParentEngineDir"
        return
    }

    $FullCustomEnginePath = Join-Path -Path $ParentEngineDir -ChildPath $EngineFileName

    $MSBuildCommandLine = "`"$MSBuildFullPath`""

    if ($NoCLIProjectFile) {
        if (!$FileName.ToLower().EndsWith('proj')) {
            Write-Error "When not specifying a project file at the command-line, the project file on disk must end with a *proj extension."
            return
        }

        $ProjFileCount = Get-ChildItem -Path $ParentDir\*proj -File | Measure-Object | Select-Object -ExpandProperty Count

        if ($ProjFileCount -gt 1) {
            Write-Error "There cannot be more than one *proj file in $ParentDir. The following files were found: $((Get-ChildItem -Path $ParentDir\*proj | Select-Object -ExpandProperty Name) -join ', '). Either delete the files or create a new directory that doesn't have any *proj files in it."
            return
        }
    }

    $TypeDef = @"
using System;
using System.Diagnostics;
using System.Collections.Generic;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
using System.Runtime.InteropServices;
 
namespace AtomicTestHarnesses {
    public class MyAssemblyRegistration {
        [ComUnregisterFunction]
        public static void UnregisterFunction(Type t) {
            ProcessStartInfo startInfo = new ProcessStartInfo("powershell.exe", "-nop -Command Write-Host $TestGuid; Start-Sleep -Seconds 2; exit");
            startInfo.UseShellExecute = false;
 
            Process.Start(startInfo);
        }
    }
 
    public class MyLogger : Logger {
        public override void Initialize(IEventSource eventSource) {
            eventSource.MessageRaised += new BuildMessageEventHandler(eventSource_MessageRaised);
        }
 
        void eventSource_MessageRaised(object sender, BuildMessageEventArgs e)
        {
            Guid testGuid;
 
            if ((e.SenderName == "Message") && Guid.TryParse(e.Message, out testGuid)) {
                Console.WriteLine("Message test: " + testGuid);
 
                ProcessStartInfo startInfo = new ProcessStartInfo("powershell.exe", "-nop -Command Write-Host " + testGuid + "; Start-Sleep -Seconds 2; exit");
                startInfo.UseShellExecute = false;
                startInfo.WindowStyle = ProcessWindowStyle.Hidden;
 
                Process.Start(startInfo);
            }
        }
    }
 
    public class MyTask : ITask {
        private IBuildEngine buildEngine;
 
        private ITaskHost hostObject;
 
        public IBuildEngine BuildEngine {
            get {
                return this.buildEngine;
            }
 
            set {
                this.buildEngine = value;
            }
        }
 
        public ITaskHost HostObject {
            get {
                return this.hostObject;
            }
 
            set {
                this.hostObject = value;
            }
        }
 
        public bool Execute() {
            return true;
        }
    }
 
    public class $TaskFactoryName : ITaskFactory {
        private IDictionary<string, TaskPropertyInfo> taskParameterTypeInfo;
 
        public string FactoryName {
            get {
                return "Custom Task Factory";
            }
        }
 
        public Type TaskType {
            get {
                return typeof(MyTask);
            }
 
            set {}
        }
 
        public TaskPropertyInfo[] GetTaskParameters() {
            TaskPropertyInfo[] array = new TaskPropertyInfo[this.taskParameterTypeInfo.Count];
 
            this.taskParameterTypeInfo.Values.CopyTo(array, 0);
 
            return array;
        }
 
        public bool Initialize(string taskName, IDictionary<string, TaskPropertyInfo> taskParameters, string taskElementContents, IBuildEngine taskFactoryLoggingHost) {
            Console.WriteLine("Task contents: " + taskElementContents);
 
            ProcessStartInfo startInfo = new ProcessStartInfo("powershell.exe", "-nop -Command Write-Host " + taskElementContents + "; Start-Sleep -Seconds 2; exit");
            startInfo.UseShellExecute = false;
            startInfo.WindowStyle = ProcessWindowStyle.Hidden;
 
            Process.Start(startInfo);
 
            this.taskParameterTypeInfo = taskParameters;
 
            return true;
        }
 
        public ITask CreateTask(IBuildEngine loggingHost)
        {
            MyTask task = new MyTask();
 
            return task;
        }
 
        public void CleanupTask(ITask task) {
 
        }
    }
}
"@


    switch ($PSCmdlet.ParameterSetName) {
        'InlineSourceCode' {
            $ExecutionType = 'InlineSourceCode'
            $FullCustomEnginePath = $null

            $ProjectTemplate = @"
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <Target Name="$TargetName">
    <$TaskName />
  </Target>
  <UsingTask TaskName="$TaskName" TaskFactory="CodeTaskFactory" AssemblyFile="$([Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())Microsoft.Build.Tasks.v4.0.dll" >
    <Task>
      <Code Language="$Language">
        <![CDATA[
        REPLACEME
        ]]>
      </Code>
    </Task>
  </UsingTask>
</Project>
"@


            $ProjectTemplateJScript = @"
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <Target Name="$TargetName">
    <$TaskName />
  </Target>
  <UsingTask TaskName="$TaskName" TaskFactory="CodeTaskFactory" AssemblyFile="$([Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())Microsoft.Build.Tasks.v4.0.dll" >
    <Task>
      <Reference Include="System" />
      <Code Language="$Language">
        <![CDATA[
        REPLACEME
        ]]>
      </Code>
    </Task>
  </UsingTask>
</Project>
"@


            $CSharpCode = @"
System.Diagnostics.ProcessStartInfo startInfo = new System.Diagnostics.ProcessStartInfo("powershell.exe", "-nop -Command Write-Host $($TestGuid); Start-Sleep -Seconds 2; exit");
        startInfo.UseShellExecute = false;
        startInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden;
        System.Diagnostics.Process.Start(startInfo);
"@


            $VBDotNetCode = @"
Dim startInfo As New System.Diagnostics.ProcessStartInfo
        startInfo.FileName = "powershell.exe"
        startInfo.Arguments = "-nop -Command Write-Host $($TestGuid); Start-Sleep -Seconds 2; exit"
        startInfo.UseShellExecute = False
        startInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden
 
        System.Diagnostics.Process.Start(startInfo)
"@


            $JScriptDotNetCode = @"
var startInfo;
        startInfo = new System.Diagnostics.ProcessStartInfo("powershell.exe", "-nop -Command Write-Host $($TestGuid); Start-Sleep -Seconds 2; exit");
        startInfo.UseShellExecute = false;
        startInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden;
 
        System.Diagnostics.Process.Start(startInfo);
"@


            switch ($Language) {
                'cs'          { $ProcRunnerCode = $CSharpCode }
                'c#'          { $ProcRunnerCode = $CSharpCode }
                'csharp'      { $ProcRunnerCode = $CSharpCode }
                'vb'          { $ProcRunnerCode = $VBDotNetCode }
                'vbs'         { $ProcRunnerCode = $VBDotNetCode <# Despite the naming, VB.Net is interpreted #> }
                'visualbasic' { $ProcRunnerCode = $VBDotNetCode }
                'vbscript'    { $ProcRunnerCode = $VBDotNetCode <# Despite the naming, VB.Net is interpreted #> }
                'js'          { $ProcRunnerCode = $JScriptDotNetCode; $ProjectTemplate = $ProjectTemplateJScript }
                'jscript'     { $ProcRunnerCode = $JScriptDotNetCode; $ProjectTemplate = $ProjectTemplateJScript }
                'javascript'  { $ProcRunnerCode = $JScriptDotNetCode; $ProjectTemplate = $ProjectTemplateJScript }
            }

            $ProjectTemplate = $ProjectTemplate.Replace('REPLACEME', $ProcRunnerCode)
        }

        'CustomProjectFileContents' {
            $ExecutionType = 'CustomProjectFileContent'
            $FullCustomEnginePath = $null
            $TestGuidToUse = $null

            $ProjectTemplate = $ProjectFileContent
        }

        'PropertyFunctions' {
            $ExecutionType = 'PropertyFunctions'
            $FullCustomEnginePath = $null

            $ProjectTemplate = @"
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <Target Name="$TargetName">
  <PropertyGroup>
    <$PropertyName>`$([System.Diagnostics.Process]::Start("powershell.exe", "-nop -Command Write-Host $($TestGuid); Start-Sleep -Seconds 2; exit"))</$PropertyName>
  </PropertyGroup>
  </Target>
</Project>
"@

        }

        'CustomUnregisterFunction' {
            $ExecutionType = 'CustomUnregisterFunction'

            Add-Type -TypeDefinition $TypeDef -ReferencedAssemblies "$([Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())Microsoft.Build.Framework.dll", "$([Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())Microsoft.Build.Utilities.v4.0.dll" -OutputAssembly $FullCustomEnginePath -ErrorAction Stop

            $CustomEngineDllHash = Get-FileHash -Path $FullCustomEnginePath | Select-Object -ExpandProperty Hash

            $ProjectTemplate = @"
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <Target Name="$TargetName">
    <UnregisterAssembly Assemblies="$FullCustomEnginePath" />
  </Target>
</Project>
"@

        }

        'CustomLogger' {
            $ExecutionType = 'CustomLogger'

            Add-Type -TypeDefinition $TypeDef -ReferencedAssemblies "$([Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())Microsoft.Build.Framework.dll", "$([Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())Microsoft.Build.Utilities.v4.0.dll" -OutputAssembly $FullCustomEnginePath -ErrorAction Stop

            $CustomEngineDllHash = Get-FileHash -Path $FullCustomEnginePath | Select-Object -ExpandProperty Hash

            $ProjectTemplate = @"
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <Target Name="$TargetName">
    <Message Text="$TestGuid" />
  </Target>
</Project>
"@


            $MSBuildCommandLine += " /logger:$FullCustomEnginePath"
        }

        'CustomTaskFactory' {
            $ExecutionType = 'CustomTaskFactory'

            Add-Type -TypeDefinition $TypeDef -ReferencedAssemblies "$([Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())Microsoft.Build.Framework.dll", "$([Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())Microsoft.Build.Utilities.v4.0.dll" -OutputAssembly $FullCustomEnginePath -ErrorAction Stop

            $CustomEngineDllHash = Get-FileHash -Path $FullCustomEnginePath | Select-Object -ExpandProperty Hash

            $ProjectTemplate = @"
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <Target Name="$TargetName">
    <$TaskName />
  </Target>
  <UsingTask TaskName="$TaskName" TaskFactory="$TaskFactoryName" AssemblyFile="$FullCustomEnginePath" >
    <Task>$TestGuid</Task>
  </UsingTask>
</Project>
"@

        }
    }

    Out-File -FilePath $FullProjectPath -InputObject $ProjectTemplate -Force

    $ProjectHash = Get-FileHash -Path $FullProjectPath -Algorithm SHA256 | Select-Object -ExpandProperty Hash

    if (-not $NoCLIProjectFile) {
        $MSBuildCommandLine += " $($FullProjectPath)"
    }

    # Only run the following if non-custom project content is supplied (i.e. -ProjectFileContent is not supplied)
    if ($ExecutionType -ne 'CustomProjectFileContent') {
        # Remove any stale events
        Get-Event -SourceIdentifier 'ChildProcSpawned' -ErrorAction SilentlyContinue | Remove-Event
        Get-EventSubscriber -SourceIdentifier 'ProcessSpawned' -ErrorAction SilentlyContinue | Unregister-Event

        # Trigger an event any time powershell.exe has $TestGuid in the command line.
        # This event should correspond to the mshta or rundll process that launched it.
        $WMIEventQuery = "SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process' AND TargetInstance.Name = 'powershell.exe' AND TargetInstance.CommandLine LIKE '%$($TestGuid)%'"

        Write-Verbose "Registering MSBuild.exe child process creation WMI event using the following WMI event query: $WMIEventQuery"

        $null = Register-CimIndicationEvent -SourceIdentifier 'ProcessSpawned' -Query $WMIEventQuery -Action {
            $SpawnedProcInfo = [PSCustomObject] @{
                ProcessId = $EventArgs.NewEvent.TargetInstance.ProcessId
                ProcessCommandLine = $EventArgs.NewEvent.TargetInstance.CommandLine
            }

            New-Event -SourceIdentifier 'ChildProcSpawned' -MessageData $SpawnedProcInfo

            Stop-Process -Id $EventArgs.NewEvent.TargetInstance.ProcessId
        }
    }

    $ProcessStartup = New-CimInstance -ClassName Win32_ProcessStartup -ClientOnly
    $ProcessStartupInstance = Get-CimInstance -InputObject $ProcessStartup
    $ProcessStartupInstance.ShowWindow = [UInt16] 0 # Hide the window

    if ($UsePropertyFunctions) {
        # Set %MSBUILDENABLEALLPROPERTYFUNCTIONS% in the child MSBuild process so that property function restrictions are lifted.
        [String[]] $AllEnvVars = (Get-ChildItem Env:\* | ForEach-Object { "$($_.Name)=$($_.Value)" }) + 'MSBUILDENABLEALLPROPERTYFUNCTIONS=1'

        $ProcessStartupInstance.EnvironmentVariables = $AllEnvVars
    }

    $ProcStartResult = Invoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{ CommandLine = $MSBuildCommandLine; CurrentDirectory = $PWD.Path; ProcessStartupInformation = $ProcessStartupInstance }

    if ($ProcStartResult.ReturnValue -eq 0) {
        $MSBuildProcessId = $ProcStartResult.ProcessId

        if ($ExecutionType -eq 'CustomProjectFileContent') {
            # When custom task XML is supplied, there may be a race condition where process information cannot be retrieved.
            $ParentProcessPath = $MSBuildFullPath
            $ProcessWMICommandLine = $MSBuildCommandLine
        } else {
            # Retrieval via WMI is a more authoritative source
            $ParentProcess = Get-CimInstance -ClassName 'Win32_Process' -Filter "ProcessId = $MSBuildProcessId" -Property 'CommandLine', 'ExecutablePath'

            $ParentProcessPath = $ParentProcess.ExecutablePath
            $ProcessWMICommandLine = $ParentProcess.CommandLine
        }
    } else {
        Write-Error "MSbuild process failed to start."
    }

    if ($ExecutionType -ne 'CustomProjectFileContent') {
        $ChildProcSpawnedEvent = Wait-Event -SourceIdentifier 'ChildProcSpawned' -Timeout 10
        $ChildProcInfo = $null

        if ($ChildProcSpawnedEvent) {
            $MSBuildTaskExecuted = $True

            $ChildProcInfo = $ChildProcSpawnedEvent.MessageData

            $SpawnedProcCommandLine = $ChildProcInfo.ProcessCommandLine
            $SpawnedProcProcessId   = $ChildProcInfo.ProcessId

            $ChildProcSpawnedEvent | Remove-Event
        } else {
            Write-Error "MSBuild child process was not spawned."
        }

        # Cleanup
        Unregister-Event -SourceIdentifier 'ProcessSpawned'
    }

    [PSCustomObject] @{
        TechniqueID = 'T1127.001'
        TestSuccess = $MSBuildTaskExecuted
        TestGuid = $TestGuidToUse
        ExecutionType = $ExecutionType
        ProjectFilePath = $FullProjectPath
        ProjectFileHashSHA256 = $ProjectHash
        ProjectContents = $ProjectTemplate
        CustomEnginePath = $FullCustomEnginePath
        CustomEngineHashSHA256 = $CustomEngineDllHash
        RunnerFilePath = $ParentProcessPath
        RunnerProcessId = $MSBuildProcessId
        RunnerCommandLine = $ProcessWMICommandLine
        RunnerChildProcessId = $SpawnedProcProcessId
        RunnerChildProcessCommandLine = $SpawnedProcCommandLine
    }
}