Microsoft Build Engine Executed After Renaming

Attackers may rename legitimate utilities, such as MSBuild, to evade detection, application allowlists, and other security protections. MSBuild, the Microsoft Build Engine, is a platform for building applications. Attackers can abuse MSBuild to proxy the execution of malicious code. The detection rule identifies instances where MSBuild is started after being renamed, indicating a potential attempt to evade detection. The rule focuses on identifying processes where the original file name is MSBuild.exe, but the process name is different, suggesting a renaming attempt.

Attack Chain

1. An attacker gains initial access to a Windows system.
2. The attacker renames the legitimate MSBuild.exe executable to a different name (e.g., evil.exe) to evade detection.
3. The attacker executes the renamed MSBuild executable (evil.exe) with a malicious project file (.csproj or similar).
4. MSBuild processes the project file, which contains commands or scripts to be executed.
5. The malicious commands within the project file are executed by MSBuild, potentially downloading or executing further payloads.
6. The attacker may use MSBuild to execute PowerShell commands or other scripting languages for lateral movement or further exploitation.
7. MSBuild can be used to modify files, registry entries, or other system settings.
8. The attacker achieves their final objective, such as data exfiltration or establishing persistence.

Impact

Successful exploitation can lead to arbitrary code execution, allowing attackers to install malware, steal sensitive information, or compromise the entire system. The renaming of MSBuild can bypass standard application allowlisting and detection mechanisms.

Recommendation

• Enable Sysmon process creation logging to capture the Image and OriginalFileName fields.
• Deploy the Sigma rule “Microsoft Build Engine Using an Alternate Name” to your SIEM and tune for your environment to detect renamed MSBuild executables based on process metadata and command-line arguments.
• Monitor process execution events for processes with OriginalFileName of “MSBuild.exe” and a different process.name.
• Implement application control policies to restrict the execution of renamed executables, specifically those with an OriginalFileName of “MSBuild.exe.”