When Everyday Tools Turn Risky

‍The Situation

During a recent cybersecurity assessment, Secure State uncovered a critical weakness that showed just how easily trusted system tools can be turned against an organisation.

While testing a client’s Windows environment, our consultants demonstrated that a user with only standard (non-admin) access could execute malicious code — simply by using a legitimate Microsoft utility called MSBuild (Microsoft Build Engine).

MSBuild is normally used by developers to compile software projects. But in this case, it could also be abused to run hidden commands — the same way an attacker might install and execute unauthorised software.

The result? Our team successfully established a remote session on the host, simulating how an adversary could take control of that user’s account and gain direct access to company data.

What This Means for Business

This type of exposure isn’t about complex malware — it’s about living-off-the-land: attackers using what’s already on your system.

Because MSBuild is a trusted Windows component, traditional antivirus tools often overlook it. A malicious actor exploiting this vector could:

• Access files and data available to the compromised account
• Move laterally across systems by abusing weak permissions
• Escalate privileges to gain deeper access into the network
• Potentially exfiltrate or leak sensitive information

In plain terms, it’s a reminder that cyber risks don’t always come from new or unknown tools — they can come from the ones built into your operating system.

Secure State’s Approach

Our assessment didn’t just identify the risk — it showed how attackers could realistically chain it with other weaknesses to gain a foothold.
We simulated a real-world scenario under the same permissions a regular staff member might have, proving that even low-privilege accounts can pose serious security concerns if misused.

The value of this approach is in visibility: by testing what’s possible rather than what’s assumed safe, organisations can prioritise the vulnerabilities that truly matter.

Remediation and Recommendations

To help the client close this gap, Secure State recommended a combination of technical and strategic controls:

• Block or restrict MSBuild execution via AppLocker or Windows Defender Application Control (WDAC).
• Implement allow-listing to ensure only approved     scripts and binaries can run.
• Monitor for unusual network behaviour, especially outbound connections triggered by MSBuild.
• Deploy Endpoint Detection and Response (EDR) solutions to flag “living-off-the-land” activity before it becomes     an incident.

The Takeaway

This case demonstrates that cybersecurity isn’t just about firewalls and passwords— it’s about understanding how legitimate tools can be misused.
By proactively identifying and mitigating these risks, Secure State helps organisations stay one step ahead of adversaries who increasingly exploit the familiar, not the foreign.