MSBuild

MsBuild.exe making outbound network connections may indicate adversarial activity as attackers leverage MsBuild to execute code and evade detection.

Detection of MsBuild.exe making outbound network connections which may indicate adversarial activity used to execute code and evade detection.

Adversaries may exploit MSBuild to execute malicious scripts or compile code, bypassing security controls; this rule detects unusual processes initiated by MSBuild, such as PowerShell or C# compiler, signaling potential misuse for executing unauthorized or harmful actions.

Adversaries may use MSBuild, a legitimate Microsoft tool, to execute malicious code through script interpreters for defense evasion and execution on Windows systems.

The Microsoft Build Engine (MSBuild) is being abused to perform process injection by creating threads in other processes, a technique used to evade detection and potentially escalate privileges.

Attackers may rename the Microsoft Build Engine (MSBuild) executable to evade detection and proxy execution of malicious code.

The detection rule identifies a potential credential access attempt via the trusted developer utility MSBuild by detecting instances where it loads DLLs associated with Windows credential management, specifically vaultcli.dll or SAMLib.DLL, which is often used for credential dumping.