{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/msbuild/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Build Engine","Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","execution","msbuild","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe Microsoft Build Engine (MSBuild) is a software build platform commonly used by Windows developers. When MSBuild is started by an Office application like Word or Excel, it deviates from typical usage patterns. This behavior can be indicative of a malicious document executing a script payload as part of a defense evasion tactic. Attackers may leverage MSBuild to execute code or perform actions that would otherwise be blocked or detected. This activity is particularly concerning because it can bypass traditional security measures that focus on blocking suspicious executables or scripts directly launched by Office applications. The rule was created in March 2020, and last updated in April 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user opens a malicious Office document (e.g., Word, Excel, PowerPoint).\u003c/li\u003e\n\u003cli\u003eThe Office document contains an embedded macro or exploit that triggers the execution of MSBuild.exe.\u003c/li\u003e\n\u003cli\u003eMSBuild.exe is launched as a child process of the Office application (e.g., winword.exe, excel.exe, powerpnt.exe).\u003c/li\u003e\n\u003cli\u003eMSBuild executes a project file or inline task specified in the command line. This can involve compiling code, executing scripts, or performing other actions.\u003c/li\u003e\n\u003cli\u003eThe executed code or script performs malicious activities, such as downloading additional payloads, modifying system settings, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eMSBuild may spawn child processes, such as cmd.exe, powershell.exe, or other utilities, to further execute malicious commands.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which could include data exfiltration, installing malware, or gaining unauthorized access to the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the execution of arbitrary code on the victim\u0026rsquo;s machine, potentially resulting in data theft, malware installation, or complete system compromise. Since MSBuild is a legitimate Microsoft tool, its use by malicious actors can make detection more challenging. The impact is high because it leverages a trusted process to carry out malicious activities, evading standard security measures.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Microsoft Build Engine Started by an Office Application\u0026rdquo; to your SIEM to detect this specific behavior based on process creation events.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging with the appropriate configuration to capture the necessary process start events for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the command-line arguments of MSBuild.exe and the parent process information, including the executable name and command line.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for MSBuild.exe with parent processes being Office applications as a high priority indicator of potential compromise.\u003c/li\u003e\n\u003cli\u003eReview and harden Office macro settings to prevent execution of malicious macros.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:22:00Z","date_published":"2024-01-09T18:22:00Z","id":"/briefs/2024-01-msbuild-office-app/","summary":"The Microsoft Build Engine (MSBuild) being started by an Office application is unusual behavior and could indicate a malicious document executing a script payload for defense evasion.","title":"Microsoft Build Engine Started by an Office Application","url":"https://feed.craftedsignal.io/briefs/2024-01-msbuild-office-app/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MSBuild"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","command-and-control","msbuild"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may abuse the Microsoft Build Engine (MSBuild) to execute malicious files or masquerade as legitimate utilities to bypass detections and evade defenses. MSBuild is a platform for building applications using an XML schema for project files that controls how the build platform processes and builds software. The observed behavior involves MsBuild.exe initiating outbound network connections, which is not typical for its intended use and may indicate unauthorized code execution or command and control activity. This activity can be used to download malicious payloads, exfiltrate data, or establish a reverse shell. Detecting this behavior is crucial as it can be an early indicator of compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access through an external vector (e.g., phishing, software vulnerability).\u003c/li\u003e\n\u003cli\u003eAttacker executes MsBuild.exe.\u003c/li\u003e\n\u003cli\u003eMSBuild executes a malicious project file (.csproj, .vbproj).\u003c/li\u003e\n\u003cli\u003eThe project file contains embedded or referenced code (e.g., C#, VB.NET) designed to perform malicious actions.\u003c/li\u003e\n\u003cli\u003eThe malicious code executes, initiating a network connection.\u003c/li\u003e\n\u003cli\u003eThe network connection is established to an external command and control (C2) server or a resource hosting a malicious payload.\u003c/li\u003e\n\u003cli\u003eData exfiltration or payload download occurs via the network connection.\u003c/li\u003e\n\u003cli\u003eThe attacker gains further control over the compromised system, potentially leading to lateral movement or data theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised systems can lead to data breaches, system instability, and further propagation of malware within the network. Successful exploitation can result in sensitive information being stolen, disruption of services, and potential financial losses. This activity can be difficult to detect without specific monitoring rules and can lead to extended dwell time for attackers within the compromised environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMSBuild Making Outbound Network Connection\u003c/code\u003e to your SIEM to detect suspicious network connections initiated by MsBuild.exe.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the destination IP addresses and the content of the network traffic.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for instances of MsBuild.exe executing unusual or suspicious project files.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring with command-line argument logging to identify potential malicious project files being passed to MsBuild.exe.\u003c/li\u003e\n\u003cli\u003eConsider implementing application control policies to restrict the execution of MsBuild.exe to authorized users and processes only.\u003c/li\u003e\n\u003cli\u003eBlock known malicious domains and IP addresses associated with command and control activity at the firewall or DNS resolver.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-09-msbuild-network-connections/","summary":"MsBuild.exe making outbound network connections may indicate adversarial activity as attackers leverage MsBuild to execute code and evade detection.","title":"MSBuild Making Network Connections Indicating Potential Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-09-msbuild-network-connections/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MSBuild"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","msbuild","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Microsoft Build Engine (MSBuild) is a platform for building applications that uses an XML schema for project files to control the build process. Attackers can abuse MSBuild to execute malicious code, proxy code execution, and masquerade as legitimate utilities to evade defenses. This behavior is often used in defense evasion tactics. This detection identifies instances of \u003ccode\u003eMsBuild.exe\u003c/code\u003e executing and subsequently establishing network connections to external addresses. This activity warrants further investigation as it deviates from expected usage patterns and might signify malicious exploitation of MSBuild.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAdversary gains initial access to the system via unspecified means.\u003c/li\u003e\n\u003cli\u003eAdversary executes \u003ccode\u003eMsBuild.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMSBuild process loads and executes a malicious project file, potentially containing embedded code or instructions to download and execute further payloads.\u003c/li\u003e\n\u003cli\u003eThe project file instructs MSBuild to initiate a network connection to a remote server.\u003c/li\u003e\n\u003cli\u003eMSBuild establishes an outbound network connection to the attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker can use the established connection for command and control (C2) or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe compromised host may download additional malicious tools or payloads from the C2 server using MSBuild\u0026rsquo;s network capabilities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging MSBuild can lead to code execution, defense evasion, and potentially command and control. Although the number of affected organizations is not specified, any Windows environment where developers use MSBuild is potentially at risk. If successful, attackers can bypass traditional security measures, gain unauthorized access, and exfiltrate sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging and network connection logging on Windows endpoints to capture the necessary events for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;MSBuild Making Network Connections\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the process execution chain and network connections for suspicious activity.\u003c/li\u003e\n\u003cli\u003eConsider adding exceptions for legitimate MSBuild network activity, based on destination IP addresses and command-line arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"/briefs/2024-01-09-msbuild-network/","summary":"Detection of MsBuild.exe making outbound network connections which may indicate adversarial activity used to execute code and evade detection.","title":"MSBuild Making Network Connections","url":"https://feed.craftedsignal.io/briefs/2024-01-09-msbuild-network/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MSBuild","Elastic Defend","Sysmon","Windows Security Event Logs"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","msbuild"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eThe Microsoft Build Engine (MSBuild) is a legitimate tool used for building applications. However, adversaries may abuse MSBuild to execute malicious scripts or compile code, effectively bypassing security controls. This technique is often employed to deploy malicious payloads. This detection focuses on identifying instances where MSBuild initiates unusual processes such as PowerShell, Internet Explorer, or the Visual C# Command Line Compiler (csc.exe). This activity is considered suspicious because legitimate software development workflows do not typically involve MSBuild directly spawning these processes. The original Elastic detection rule was created on 2020-03-25 and last updated on 2026-05-04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies or creates an MSBuild project file (.csproj or .sln) containing malicious commands.\u003c/li\u003e\n\u003cli\u003eThe malicious MSBuild project file is crafted to execute a script or compile code.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the MSBuild.exe or msbuild.exe utility to execute the malicious project file.\u003c/li\u003e\n\u003cli\u003eMSBuild spawns an unusual process such as powershell.exe, csc.exe, or iexplore.exe based on the malicious project file configuration.\u003c/li\u003e\n\u003cli\u003ePowerShell executes arbitrary commands, downloads further payloads, or performs other malicious actions.\u003c/li\u003e\n\u003cli\u003eThe C# compiler (csc.exe) compiles malicious code into an executable or library.\u003c/li\u003e\n\u003cli\u003eThe compiled malware or downloaded payloads execute, leading to further compromise, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to deploy malware, compromise sensitive data, and establish persistence on the targeted system. The use of MSBuild for malicious purposes allows attackers to bypass application whitelisting and other security controls that trust signed Microsoft binaries. While the precise number of victims is unknown, this technique can be employed against a wide range of organizations, particularly those with vulnerable systems or inadequate endpoint protection.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging, specifically including parent-child relationships, to detect unusual process spawning by MSBuild (logs-endpoint.events.process-*, logs-system.security*, logs-windows.forwarded*, logs-windows.sysmon_operational-*, winlogbeat-*).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Microsoft Build Engine Started an Unusual Process\u0026rdquo; to your SIEM to identify instances of MSBuild spawning suspicious processes, and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of MSBuild spawning PowerShell, csc.exe, or iexplore.exe to determine if the activity is legitimate or malicious (process.name:(\u0026ldquo;csc.exe\u0026rdquo; or \u0026ldquo;iexplore.exe\u0026rdquo; or \u0026ldquo;powershell.exe\u0026rdquo;)).\u003c/li\u003e\n\u003cli\u003eMonitor for modifications to MSBuild project files (.proj or .sln) for signs of tampering.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:30:00Z","date_published":"2024-01-03T15:30:00Z","id":"/briefs/2024-01-msbuild-unusual-process/","summary":"Adversaries may exploit MSBuild to execute malicious scripts or compile code, bypassing security controls; this rule detects unusual processes initiated by MSBuild, such as PowerShell or C# compiler, signaling potential misuse for executing unauthorized or harmful actions.","title":"MSBuild запускает необычные процессы","url":"https://feed.craftedsignal.io/briefs/2024-01-msbuild-unusual-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MSBuild"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","msbuild","proxy-execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Microsoft Build Engine (MSBuild) is a software build platform typically used by developers. However, attackers can abuse MSBuild to execute malicious code by using it as a proxy execution method, allowing them to bypass traditional defenses. This technique involves invoking MSBuild from scripting environments like PowerShell or cmd.exe to run arbitrary code within the context of a trusted process. The activity detected by this rule focuses on instances where MSBuild is launched by a script interpreter, which is not typical for standard software development workflows. This behavior, observed since at least 2020, can be used for stealthy execution of payloads and defense evasion tactics, especially in environments that trust MSBuild as a legitimate system utility. Defenders should be aware of this technique as it allows attackers to blend in with normal system activity and bypass application control policies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system, potentially through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eA script (e.g., PowerShell, cmd.exe) is used to execute a malicious command or series of commands.\u003c/li\u003e\n\u003cli\u003eThe script invokes \u003ccode\u003emsbuild.exe\u003c/code\u003e with specific arguments to execute arbitrary code. This might involve inline tasks or references to external XML project files containing malicious instructions.\u003c/li\u003e\n\u003cli\u003eMSBuild processes the provided XML file or inline task, interpreting and executing the malicious code.\u003c/li\u003e\n\u003cli\u003eThe executed code performs actions such as downloading additional payloads, modifying system configurations, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eMSBuild, acting as a proxy, executes the attacker\u0026rsquo;s code within a trusted process, potentially evading detection by security software.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised system to move laterally within the network, escalating privileges, and accessing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s final objective is achieved, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on Windows systems, potentially leading to data theft, system compromise, and further propagation within the network. This technique can bypass application control and other security measures, making it difficult to detect and prevent. The impact can range from minor data breaches to complete system takeover, depending on the attacker\u0026rsquo;s objectives and the compromised system\u0026rsquo;s role within the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture the process tree and command-line arguments, enabling detection of suspicious MSBuild executions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMicrosoft Build Engine Started by a Script Process\u003c/code\u003e to your SIEM to identify instances of MSBuild being invoked by script interpreters. Tune the rule with appropriate whitelisting for known development activities to reduce false positives.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for \u003ccode\u003emsbuild.exe\u003c/code\u003e with parent processes such as \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e, and \u003ccode\u003emshta.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of MSBuild to authorized users and directories.\u003c/li\u003e\n\u003cli\u003eRegularly review and update the list of excluded processes and directories in the Sigma rule to adapt to changing development practices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-msbuild-script-execution/","summary":"Adversaries may use MSBuild, a legitimate Microsoft tool, to execute malicious code through script interpreters for defense evasion and execution on Windows systems.","title":"Suspicious MSBuild Execution from Scripting Processes","url":"https://feed.craftedsignal.io/briefs/2024-01-msbuild-script-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","msbuild","proxy-execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe Microsoft Build Engine (MSBuild) is a legitimate tool used by developers to build applications. However, adversaries are known to abuse MSBuild to execute malicious code, leveraging its trusted status to bypass security measures. This technique allows attackers to perform various actions on compromised systems while blending in with legitimate system activity. The observed behavior involves MSBuild being started by system processes like Explorer (explorer.exe) or Windows Management Instrumentation (WMI, wmiprvse.exe). Defenders should be aware of this unusual activity as it signifies a potential defense evasion tactic and unauthorized code execution within the targeted environment. This activity has been observed across environments leveraging Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, CrowdStrike, and standard Windows event logging.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through various means (e.g., phishing, exploitation of vulnerabilities).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a script or payload that invokes MSBuild.exe.\u003c/li\u003e\n\u003cli\u003eThe script or payload is executed by a system process like explorer.exe or wmiprvse.exe, which is highly unusual for typical MSBuild usage.\u003c/li\u003e\n\u003cli\u003eMSBuild.exe starts with specific command-line arguments that dictate the build process, often involving malicious code.\u003c/li\u003e\n\u003cli\u003eThe malicious code is embedded within an MSBuild project file (.csproj or similar).\u003c/li\u003e\n\u003cli\u003eMSBuild.exe executes the malicious code as part of the build process.\u003c/li\u003e\n\u003cli\u003eThe executed code performs actions such as downloading additional payloads, modifying system configurations, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as gaining remote access, exfiltrating data, or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a variety of negative outcomes, including unauthorized code execution, system compromise, data theft, and potentially complete system takeover. The use of MSBuild as a proxy execution method allows attackers to evade traditional security controls and blend in with legitimate system activities. This can result in delayed detection and increased dwell time, amplifying the potential damage. Since MSBuild is a trusted Microsoft utility, its abuse can make malicious activity harder to identify and respond to.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Microsoft Build Engine Started by a System Process\u0026rdquo; to your SIEM to detect instances of MSBuild.exe being launched by explorer.exe or wmiprvse.exe (see rules section).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to capture the full context of MSBuild.exe executions (reference setup instructions in the source URL).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of MSBuild.exe started by explorer.exe or wmiprvse.exe to determine if they are legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and logging for MSBuild.exe and related processes to detect similar activities in the future, ensuring alerts are configured for rapid response.\u003c/li\u003e\n\u003cli\u003eReview and whitelist any legitimate scripts or administrative tools that leverage MSBuild for authorized tasks to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-msbuild-system-process/","summary":"Adversaries are leveraging MSBuild, a Microsoft Build Engine, to execute malicious code by initiating it from system processes such as Explorer or WMI to evade defenses and execute unauthorized actions.","title":"MSBuild Started by System Process for Defense Evasion and Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-msbuild-system-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["MSBuild"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","msbuild","masquerading"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may rename legitimate utilities, such as MSBuild, to evade detection, application allowlists, and other security protections. MSBuild, the Microsoft Build Engine, is a platform for building applications. Attackers can abuse MSBuild to proxy the execution of malicious code. The detection rule identifies instances where MSBuild is started after being renamed, indicating a potential attempt to evade detection. The rule focuses on identifying processes where the original file name is MSBuild.exe, but the process name is different, suggesting a renaming attempt.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker renames the legitimate MSBuild.exe executable to a different name (e.g., evil.exe) to evade detection.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the renamed MSBuild executable (evil.exe) with a malicious project file (.csproj or similar).\u003c/li\u003e\n\u003cli\u003eMSBuild processes the project file, which contains commands or scripts to be executed.\u003c/li\u003e\n\u003cli\u003eThe malicious commands within the project file are executed by MSBuild, potentially downloading or executing further payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker may use MSBuild to execute PowerShell commands or other scripting languages for lateral movement or further exploitation.\u003c/li\u003e\n\u003cli\u003eMSBuild can be used to modify files, registry entries, or other system settings.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to install malware, steal sensitive information, or compromise the entire system. The renaming of MSBuild can bypass standard application allowlisting and detection mechanisms.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the \u003ccode\u003eImage\u003c/code\u003e and \u003ccode\u003eOriginalFileName\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Microsoft Build Engine Using an Alternate Name\u0026rdquo; to your SIEM and tune for your environment to detect renamed MSBuild executables based on process metadata and command-line arguments.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for processes with \u003ccode\u003eOriginalFileName\u003c/code\u003e of \u0026ldquo;MSBuild.exe\u0026rdquo; and a different \u003ccode\u003eprocess.name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of renamed executables, specifically those with an \u003ccode\u003eOriginalFileName\u003c/code\u003e of \u0026ldquo;MSBuild.exe.\u0026rdquo;\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-msbuild-renamed/","summary":"Attackers may rename the Microsoft Build Engine (MSBuild) executable to evade detection and proxy execution of malicious code.","title":"Microsoft Build Engine Executed After Renaming","url":"https://feed.craftedsignal.io/briefs/2024-01-03-msbuild-renamed/"}],"language":"en","title":"CraftedSignal Threat Feed — Msbuild","version":"https://jsonfeed.org/version/1.1"}