Skip to content
Threat Feed
low advisory

MSBuild Process Injection Detection

The Microsoft Build Engine (MSBuild) is being abused to perform process injection by creating threads in other processes, a technique used to evade detection and potentially escalate privileges.

The Microsoft Build Engine (MSBuild) is a platform for building applications, commonly used in software development environments. Adversaries are exploiting MSBuild to perform process injection, a technique to execute malicious code within the address space of another process. This allows attackers to evade detection and potentially escalate privileges. The detection focuses on monitoring for thread creation in other processes by instances of MSBuild.exe. This activity is considered unusual outside of legitimate software development or build environments. The exploitation of MSBuild for process injection is a known technique (T1127.001) to proxy execution through trusted developer utilities.

Attack Chain

  1. An attacker gains initial access to the system through various means (e.g., compromised credentials, software vulnerability).
  2. The attacker executes MSBuild.exe, either directly or through another process.
  3. MSBuild.exe is used to load and execute a malicious project file or inline code.
  4. The malicious code within the MSBuild project file leverages Windows API calls to create a thread in a target process.
  5. The created thread injects malicious code or a payload into the target process’s memory space.
  6. The injected code executes within the context of the target process, potentially performing malicious activities.
  7. These activities could include lateral movement, data exfiltration, or establishing persistence.

Impact

Successful process injection can lead to a variety of malicious outcomes, including privilege escalation, data theft, and system compromise. While the specific number of victims is not available, any Windows system running MSBuild is potentially vulnerable. The use of a trusted Microsoft utility like MSBuild makes detection more difficult, as it can blend in with legitimate developer activity. This can lead to prolonged compromise and significant damage before the malicious activity is detected.

Recommendation

  • Enable Sysmon process creation and CreateRemoteThread logging (event IDs 1 and 8) to detect the malicious activity described in the attack chain.
  • Deploy the Sigma rule “Process Injection by the Microsoft Build Engine” to your SIEM and tune for your environment to reduce false positives.
  • Implement application whitelisting to prevent unauthorized execution of MSBuild.exe in non-development environments.
  • Monitor the parent processes of MSBuild.exe for unusual or suspicious activity.

Detection coverage 2

MSBuild CreateRemoteThread Detection

low

Detects MSBuild creating a thread in another process, indicative of process injection.

sigma tactics: defense_evasion, privilege_escalation techniques: T1055, T1127.001 sources: process_creation, windows

Suspicious MSBuild Call Trace

medium

Detects suspicious API calls within MSBuild process executions that might indicate process injection or other malicious activity.

sigma tactics: defense_evasion techniques: T1055, T1127.001 sources: process_creation, windows

Detection queries are kept inside the platform. Get full rules →