MSBuild Making Network Connections Indicating Potential Defense Evasion

Attackers may abuse the Microsoft Build Engine (MSBuild) to execute malicious files or masquerade as legitimate utilities to bypass detections and evade defenses. MSBuild is a platform for building applications using an XML schema for project files that controls how the build platform processes and builds software. The observed behavior involves MsBuild.exe initiating outbound network connections, which is not typical for its intended use and may indicate unauthorized code execution or command and control activity. This activity can be used to download malicious payloads, exfiltrate data, or establish a reverse shell. Detecting this behavior is crucial as it can be an early indicator of compromise.

Attack Chain

1. Attacker gains initial access through an external vector (e.g., phishing, software vulnerability).
2. Attacker executes MsBuild.exe.
3. MSBuild executes a malicious project file (.csproj, .vbproj).
4. The project file contains embedded or referenced code (e.g., C#, VB.NET) designed to perform malicious actions.
5. The malicious code executes, initiating a network connection.
6. The network connection is established to an external command and control (C2) server or a resource hosting a malicious payload.
7. Data exfiltration or payload download occurs via the network connection.
8. The attacker gains further control over the compromised system, potentially leading to lateral movement or data theft.

Impact

Compromised systems can lead to data breaches, system instability, and further propagation of malware within the network. Successful exploitation can result in sensitive information being stolen, disruption of services, and potential financial losses. This activity can be difficult to detect without specific monitoring rules and can lead to extended dwell time for attackers within the compromised environment.

Recommendation

• Deploy the Sigma rule MSBuild Making Outbound Network Connection to your SIEM to detect suspicious network connections initiated by MsBuild.exe.
• Investigate any alerts generated by the Sigma rule, focusing on the destination IP addresses and the content of the network traffic.
• Monitor process execution events for instances of MsBuild.exe executing unusual or suspicious project files.
• Enable process monitoring with command-line argument logging to identify potential malicious project files being passed to MsBuild.exe.
• Consider implementing application control policies to restrict the execution of MsBuild.exe to authorized users and processes only.
• Block known malicious domains and IP addresses associated with command and control activity at the firewall or DNS resolver.