Analytics Story: Trusted Developer Utilities Proxy Execution MSBuild

Description

Monitor and detect techniques used by attackers who leverage the msbuild.exe process to execute malicious code.

Why it matters

Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio and is native to Windows. It handles XML formatted project files that define requirements for loading and building various platforms and configurations. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into an XML project file. MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution. The searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging msbuild.exe to execute malicious code. Triage Validate execution

  1. Determine if MSBuild.exe executed. Validate the OriginalFileName of MSBuild.exe and further PE metadata.
  2. Determine if script code was executed with MSBuild. Situational Awareness The objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by MSBuild.exe.
  3. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application?
  4. Module loads. Are the known MSBuild.exe modules being loaded by a non-standard application? Is MSbuild loading any suspicious .DLLs?
  5. Network connections. Any network connections? Review the reputation of the remote IP or domain. Retrieval of script code The objective of this step is to confirm the executed script code is benign or malicious.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
MSBuild Suspicious Spawned By Script Process MSBuild, Trusted Developer Utilities Proxy Execution TTP
Suspicious msbuild path Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild TTP
Suspicious MSBuild Rename Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild Hunting
Suspicious MSBuild Spawn Trusted Developer Utilities Proxy Execution, MSBuild TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References


Source: GitHub | Version: 1