Skip to content
Threat Feed
medium advisory

MSBuild Making Network Connections

Detection of MsBuild.exe making outbound network connections which may indicate adversarial activity used to execute code and evade detection.

The Microsoft Build Engine (MSBuild) is a platform for building applications that uses an XML schema for project files to control the build process. Attackers can abuse MSBuild to execute malicious code, proxy code execution, and masquerade as legitimate utilities to evade defenses. This behavior is often used in defense evasion tactics. This detection identifies instances of MsBuild.exe executing and subsequently establishing network connections to external addresses. This activity warrants further investigation as it deviates from expected usage patterns and might signify malicious exploitation of MSBuild.

Attack Chain

  1. Adversary gains initial access to the system via unspecified means.
  2. Adversary executes MsBuild.exe.
  3. MSBuild process loads and executes a malicious project file, potentially containing embedded code or instructions to download and execute further payloads.
  4. The project file instructs MSBuild to initiate a network connection to a remote server.
  5. MSBuild establishes an outbound network connection to the attacker-controlled server.
  6. The attacker can use the established connection for command and control (C2) or data exfiltration.
  7. The compromised host may download additional malicious tools or payloads from the C2 server using MSBuild’s network capabilities.

Impact

A successful attack leveraging MSBuild can lead to code execution, defense evasion, and potentially command and control. Although the number of affected organizations is not specified, any Windows environment where developers use MSBuild is potentially at risk. If successful, attackers can bypass traditional security measures, gain unauthorized access, and exfiltrate sensitive data.

Recommendation

  • Enable process creation logging and network connection logging on Windows endpoints to capture the necessary events for detection.
  • Deploy the Sigma rule “MSBuild Making Network Connections” to your SIEM and tune for your environment.
  • Investigate any alerts generated by the Sigma rule by examining the process execution chain and network connections for suspicious activity.
  • Consider adding exceptions for legitimate MSBuild network activity, based on destination IP addresses and command-line arguments.

Detection coverage 2

MSBuild Making Network Connections

medium

Detects MsBuild.exe making outbound network connections, which may indicate adversarial activity.

sigma tactics: command_and_control, defense_evasion techniques: T1071, T1127.001 sources: process_creation, windows

MSBuild Connecting to Non-Standard Ports

medium

Detects MsBuild.exe making outbound network connections to non-standard ports, indicative of command and control activity.

sigma tactics: command_and_control, defense_evasion techniques: T1071, T1127.001 sources: network_connection, windows

Detection queries are kept inside the platform. Get full rules →