{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/msbuild/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MSBuild"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","command-and-control","msbuild"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may abuse the Microsoft Build Engine (MSBuild) to execute malicious files or masquerade as legitimate utilities to bypass detections and evade defenses. MSBuild is a platform for building applications using an XML schema for project files that controls how the build platform processes and builds software. The observed behavior involves MsBuild.exe initiating outbound network connections, which is not typical for its intended use and may indicate unauthorized code execution or command and control activity. This activity can be used to download malicious payloads, exfiltrate data, or establish a reverse shell. Detecting this behavior is crucial as it can be an early indicator of compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access through an external vector (e.g., phishing, software vulnerability).\u003c/li\u003e\n\u003cli\u003eAttacker executes MsBuild.exe.\u003c/li\u003e\n\u003cli\u003eMSBuild executes a malicious project file (.csproj, .vbproj).\u003c/li\u003e\n\u003cli\u003eThe project file contains embedded or referenced code (e.g., C#, VB.NET) designed to perform malicious actions.\u003c/li\u003e\n\u003cli\u003eThe malicious code executes, initiating a network connection.\u003c/li\u003e\n\u003cli\u003eThe network connection is established to an external command and control (C2) server or a resource hosting a malicious payload.\u003c/li\u003e\n\u003cli\u003eData exfiltration or payload download occurs via the network connection.\u003c/li\u003e\n\u003cli\u003eThe attacker gains further control over the compromised system, potentially leading to lateral movement or data theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised systems can lead to data breaches, system instability, and further propagation of malware within the network. Successful exploitation can result in sensitive information being stolen, disruption of services, and potential financial losses. This activity can be difficult to detect without specific monitoring rules and can lead to extended dwell time for attackers within the compromised environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMSBuild Making Outbound Network Connection\u003c/code\u003e to your SIEM to detect suspicious network connections initiated by MsBuild.exe.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the destination IP addresses and the content of the network traffic.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for instances of MsBuild.exe executing unusual or suspicious project files.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring with command-line argument logging to identify potential malicious project files being passed to MsBuild.exe.\u003c/li\u003e\n\u003cli\u003eConsider implementing application control policies to restrict the execution of MsBuild.exe to authorized users and processes only.\u003c/li\u003e\n\u003cli\u003eBlock known malicious domains and IP addresses associated with command and control activity at the firewall or DNS resolver.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-09-msbuild-network-connections/","summary":"MsBuild.exe making outbound network connections may indicate adversarial activity as attackers leverage MsBuild to execute code and evade detection.","title":"MSBuild Making Network Connections Indicating Potential Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-09-msbuild-network-connections/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MSBuild"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","msbuild","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Microsoft Build Engine (MSBuild) is a platform for building applications that uses an XML schema for project files to control the build process. Attackers can abuse MSBuild to execute malicious code, proxy code execution, and masquerade as legitimate utilities to evade defenses. This behavior is often used in defense evasion tactics. This detection identifies instances of \u003ccode\u003eMsBuild.exe\u003c/code\u003e executing and subsequently establishing network connections to external addresses. This activity warrants further investigation as it deviates from expected usage patterns and might signify malicious exploitation of MSBuild.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAdversary gains initial access to the system via unspecified means.\u003c/li\u003e\n\u003cli\u003eAdversary executes \u003ccode\u003eMsBuild.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMSBuild process loads and executes a malicious project file, potentially containing embedded code or instructions to download and execute further payloads.\u003c/li\u003e\n\u003cli\u003eThe project file instructs MSBuild to initiate a network connection to a remote server.\u003c/li\u003e\n\u003cli\u003eMSBuild establishes an outbound network connection to the attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker can use the established connection for command and control (C2) or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe compromised host may download additional malicious tools or payloads from the C2 server using MSBuild\u0026rsquo;s network capabilities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging MSBuild can lead to code execution, defense evasion, and potentially command and control. Although the number of affected organizations is not specified, any Windows environment where developers use MSBuild is potentially at risk. If successful, attackers can bypass traditional security measures, gain unauthorized access, and exfiltrate sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging and network connection logging on Windows endpoints to capture the necessary events for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;MSBuild Making Network Connections\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the process execution chain and network connections for suspicious activity.\u003c/li\u003e\n\u003cli\u003eConsider adding exceptions for legitimate MSBuild network activity, based on destination IP addresses and command-line arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"/briefs/2024-01-09-msbuild-network/","summary":"Detection of MsBuild.exe making outbound network connections which may indicate adversarial activity used to execute code and evade detection.","title":"MSBuild Making Network Connections","url":"https://feed.craftedsignal.io/briefs/2024-01-09-msbuild-network/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MSBuild","Elastic Defend","Sysmon","Windows Security Event Logs"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","msbuild"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eThe Microsoft Build Engine (MSBuild) is a legitimate tool used for building applications. However, adversaries may abuse MSBuild to execute malicious scripts or compile code, effectively bypassing security controls. This technique is often employed to deploy malicious payloads. This detection focuses on identifying instances where MSBuild initiates unusual processes such as PowerShell, Internet Explorer, or the Visual C# Command Line Compiler (csc.exe). This activity is considered suspicious because legitimate software development workflows do not typically involve MSBuild directly spawning these processes. The original Elastic detection rule was created on 2020-03-25 and last updated on 2026-05-04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies or creates an MSBuild project file (.csproj or .sln) containing malicious commands.\u003c/li\u003e\n\u003cli\u003eThe malicious MSBuild project file is crafted to execute a script or compile code.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the MSBuild.exe or msbuild.exe utility to execute the malicious project file.\u003c/li\u003e\n\u003cli\u003eMSBuild spawns an unusual process such as powershell.exe, csc.exe, or iexplore.exe based on the malicious project file configuration.\u003c/li\u003e\n\u003cli\u003ePowerShell executes arbitrary commands, downloads further payloads, or performs other malicious actions.\u003c/li\u003e\n\u003cli\u003eThe C# compiler (csc.exe) compiles malicious code into an executable or library.\u003c/li\u003e\n\u003cli\u003eThe compiled malware or downloaded payloads execute, leading to further compromise, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to deploy malware, compromise sensitive data, and establish persistence on the targeted system. The use of MSBuild for malicious purposes allows attackers to bypass application whitelisting and other security controls that trust signed Microsoft binaries. While the precise number of victims is unknown, this technique can be employed against a wide range of organizations, particularly those with vulnerable systems or inadequate endpoint protection.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging, specifically including parent-child relationships, to detect unusual process spawning by MSBuild (logs-endpoint.events.process-*, logs-system.security*, logs-windows.forwarded*, logs-windows.sysmon_operational-*, winlogbeat-*).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Microsoft Build Engine Started an Unusual Process\u0026rdquo; to your SIEM to identify instances of MSBuild spawning suspicious processes, and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of MSBuild spawning PowerShell, csc.exe, or iexplore.exe to determine if the activity is legitimate or malicious (process.name:(\u0026ldquo;csc.exe\u0026rdquo; or \u0026ldquo;iexplore.exe\u0026rdquo; or \u0026ldquo;powershell.exe\u0026rdquo;)).\u003c/li\u003e\n\u003cli\u003eMonitor for modifications to MSBuild project files (.proj or .sln) for signs of tampering.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:30:00Z","date_published":"2024-01-03T15:30:00Z","id":"/briefs/2024-01-msbuild-unusual-process/","summary":"Adversaries may exploit MSBuild to execute malicious scripts or compile code, bypassing security controls; this rule detects unusual processes initiated by MSBuild, such as PowerShell or C# compiler, signaling potential misuse for executing unauthorized or harmful actions.","title":"MSBuild запускает необычные процессы","url":"https://feed.craftedsignal.io/briefs/2024-01-msbuild-unusual-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MSBuild"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","msbuild","proxy-execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Microsoft Build Engine (MSBuild) is a software build platform typically used by developers. However, attackers can abuse MSBuild to execute malicious code by using it as a proxy execution method, allowing them to bypass traditional defenses. This technique involves invoking MSBuild from scripting environments like PowerShell or cmd.exe to run arbitrary code within the context of a trusted process. The activity detected by this rule focuses on instances where MSBuild is launched by a script interpreter, which is not typical for standard software development workflows. This behavior, observed since at least 2020, can be used for stealthy execution of payloads and defense evasion tactics, especially in environments that trust MSBuild as a legitimate system utility. Defenders should be aware of this technique as it allows attackers to blend in with normal system activity and bypass application control policies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system, potentially through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eA script (e.g., PowerShell, cmd.exe) is used to execute a malicious command or series of commands.\u003c/li\u003e\n\u003cli\u003eThe script invokes \u003ccode\u003emsbuild.exe\u003c/code\u003e with specific arguments to execute arbitrary code. This might involve inline tasks or references to external XML project files containing malicious instructions.\u003c/li\u003e\n\u003cli\u003eMSBuild processes the provided XML file or inline task, interpreting and executing the malicious code.\u003c/li\u003e\n\u003cli\u003eThe executed code performs actions such as downloading additional payloads, modifying system configurations, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eMSBuild, acting as a proxy, executes the attacker\u0026rsquo;s code within a trusted process, potentially evading detection by security software.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised system to move laterally within the network, escalating privileges, and accessing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s final objective is achieved, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on Windows systems, potentially leading to data theft, system compromise, and further propagation within the network. This technique can bypass application control and other security measures, making it difficult to detect and prevent. The impact can range from minor data breaches to complete system takeover, depending on the attacker\u0026rsquo;s objectives and the compromised system\u0026rsquo;s role within the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture the process tree and command-line arguments, enabling detection of suspicious MSBuild executions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMicrosoft Build Engine Started by a Script Process\u003c/code\u003e to your SIEM to identify instances of MSBuild being invoked by script interpreters. Tune the rule with appropriate whitelisting for known development activities to reduce false positives.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for \u003ccode\u003emsbuild.exe\u003c/code\u003e with parent processes such as \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e, and \u003ccode\u003emshta.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of MSBuild to authorized users and directories.\u003c/li\u003e\n\u003cli\u003eRegularly review and update the list of excluded processes and directories in the Sigma rule to adapt to changing development practices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-msbuild-script-execution/","summary":"Adversaries may use MSBuild, a legitimate Microsoft tool, to execute malicious code through script interpreters for defense evasion and execution on Windows systems.","title":"Suspicious MSBuild Execution from Scripting Processes","url":"https://feed.craftedsignal.io/briefs/2024-01-msbuild-script-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MSBuild"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","privilege-escalation","process-injection"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Microsoft Build Engine (MSBuild) is a platform for building applications, commonly used in software development environments. Adversaries are exploiting MSBuild to perform process injection, a technique to execute malicious code within the address space of another process. This allows attackers to evade detection and potentially escalate privileges. The detection focuses on monitoring for thread creation in other processes by instances of MSBuild.exe. This activity is considered unusual outside of legitimate software development or build environments. The exploitation of MSBuild for process injection is a known technique (T1127.001) to proxy execution through trusted developer utilities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through various means (e.g., compromised credentials, software vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes MSBuild.exe, either directly or through another process.\u003c/li\u003e\n\u003cli\u003eMSBuild.exe is used to load and execute a malicious project file or inline code.\u003c/li\u003e\n\u003cli\u003eThe malicious code within the MSBuild project file leverages Windows API calls to create a thread in a target process.\u003c/li\u003e\n\u003cli\u003eThe created thread injects malicious code or a payload into the target process\u0026rsquo;s memory space.\u003c/li\u003e\n\u003cli\u003eThe injected code executes within the context of the target process, potentially performing malicious activities.\u003c/li\u003e\n\u003cli\u003eThese activities could include lateral movement, data exfiltration, or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful process injection can lead to a variety of malicious outcomes, including privilege escalation, data theft, and system compromise. While the specific number of victims is not available, any Windows system running MSBuild is potentially vulnerable. The use of a trusted Microsoft utility like MSBuild makes detection more difficult, as it can blend in with legitimate developer activity. This can lead to prolonged compromise and significant damage before the malicious activity is detected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation and CreateRemoteThread logging (event IDs 1 and 8) to detect the malicious activity described in the attack chain.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Process Injection by the Microsoft Build Engine\u0026rdquo; to your SIEM and tune for your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent unauthorized execution of MSBuild.exe in non-development environments.\u003c/li\u003e\n\u003cli\u003eMonitor the parent processes of MSBuild.exe for unusual or suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-msbuild-process-injection/","summary":"The Microsoft Build Engine (MSBuild) is being abused to perform process injection by creating threads in other processes, a technique used to evade detection and potentially escalate privileges.","title":"MSBuild Process Injection Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-msbuild-process-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MSBuild"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","msbuild","masquerading"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may rename legitimate utilities, such as MSBuild, to evade detection, application allowlists, and other security protections. MSBuild, the Microsoft Build Engine, is a platform for building applications. Attackers can abuse MSBuild to proxy the execution of malicious code. The detection rule identifies instances where MSBuild is started after being renamed, indicating a potential attempt to evade detection. The rule focuses on identifying processes where the original file name is MSBuild.exe, but the process name is different, suggesting a renaming attempt.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker renames the legitimate MSBuild.exe executable to a different name (e.g., evil.exe) to evade detection.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the renamed MSBuild executable (evil.exe) with a malicious project file (.csproj or similar).\u003c/li\u003e\n\u003cli\u003eMSBuild processes the project file, which contains commands or scripts to be executed.\u003c/li\u003e\n\u003cli\u003eThe malicious commands within the project file are executed by MSBuild, potentially downloading or executing further payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker may use MSBuild to execute PowerShell commands or other scripting languages for lateral movement or further exploitation.\u003c/li\u003e\n\u003cli\u003eMSBuild can be used to modify files, registry entries, or other system settings.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to install malware, steal sensitive information, or compromise the entire system. The renaming of MSBuild can bypass standard application allowlisting and detection mechanisms.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the \u003ccode\u003eImage\u003c/code\u003e and \u003ccode\u003eOriginalFileName\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Microsoft Build Engine Using an Alternate Name\u0026rdquo; to your SIEM and tune for your environment to detect renamed MSBuild executables based on process metadata and command-line arguments.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for processes with \u003ccode\u003eOriginalFileName\u003c/code\u003e of \u0026ldquo;MSBuild.exe\u0026rdquo; and a different \u003ccode\u003eprocess.name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of renamed executables, specifically those with an \u003ccode\u003eOriginalFileName\u003c/code\u003e of \u0026ldquo;MSBuild.exe.\u0026rdquo;\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-msbuild-renamed/","summary":"Attackers may rename the Microsoft Build Engine (MSBuild) executable to evade detection and proxy execution of malicious code.","title":"Microsoft Build Engine Executed After Renaming","url":"https://feed.craftedsignal.io/briefs/2024-01-03-msbuild-renamed/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MSBuild","Elastic Defend","Windows"],"_cs_severities":["high"],"_cs_tags":["credential-access","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies potential credential access attempts leveraging the Microsoft Build Engine (MSBuild). Attackers may abuse MSBuild, a legitimate developer tool, to load malicious DLLs related to Windows credential management, such as \u003ccode\u003evaultcli.dll\u003c/code\u003e or \u003ccode\u003eSAMLib.dll\u003c/code\u003e. This technique enables credential dumping by a trusted Windows utility, making it harder to detect. The rule focuses on detecting the loading of these specific DLLs by MSBuild processes. The rule relies on data from Elastic Defend and Sysmon logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eAttacker places a malicious \u003ccode\u003e.csproj\u003c/code\u003e file or a DLL designed to load credential management DLLs on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003eMSBuild.exe\u003c/code\u003e to process the malicious project file.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eMSBuild.exe\u003c/code\u003e loads the attacker-controlled DLL.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled DLL loads either \u003ccode\u003evaultcli.dll\u003c/code\u003e or \u003ccode\u003eSAMLib.dll\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe loaded DLLs are used to dump credentials from the system.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the dumped credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials for lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the compromise of sensitive credentials stored on the affected system. This can allow attackers to move laterally within the network, access confidential data, and potentially compromise entire domains. The impact ranges from data breaches to complete system compromise, depending on the privileges of the compromised accounts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMSBuild Loads Credential Management DLL\u003c/code\u003e to your SIEM, tuned for your specific environment, to detect instances of MSBuild loading \u003ccode\u003evaultcli.dll\u003c/code\u003e or \u003ccode\u003eSAMLib.dll\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon event ID 7 (Image Loaded) logging with the appropriate configurations to capture DLL loading events.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of MSBuild loading \u003ccode\u003evaultcli.dll\u003c/code\u003e or \u003ccode\u003eSAMLib.dll\u003c/code\u003e from unusual or unexpected locations using the guidance in the rule note.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-msbuild-credential-dumping/","summary":"The detection rule identifies a potential credential access attempt via the trusted developer utility MSBuild by detecting instances where it loads DLLs associated with Windows credential management, specifically vaultcli.dll or SAMLib.DLL, which is often used for credential dumping.","title":"Potential Credential Access via MSBuild Loading Credential Management DLLs","url":"https://feed.craftedsignal.io/briefs/2024-01-02-msbuild-credential-dumping/"}],"language":"en","title":"CraftedSignal Threat Feed — MSBuild","version":"https://jsonfeed.org/version/1.1"}