Try in Splunk Security Cloud

Description

Monitor and detect techniques used by attackers who leverage the msbuild.exe process to execute malicious code.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-01-21
  • Author: Michael Haag, Splunk
  • ID: be3418e2-551b-11eb-ae93-0242ac130002

Narrative

Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio and is native to Windows. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.
The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into an XML project file. MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.
The searches in this story help you detect and investigate suspicious activity that may indicate that an adversary is leveraging msbuild.exe to execute malicious code.
Triage
Validate execution\

  1. Determine if MSBuild.exe executed. Validate the OriginalFileName of MSBuild.exe and further PE metadata.\
  2. Determine if script code was executed with MSBuild.
    Situational Awareness
    The objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by MSBuild.exe.\
  3. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application?\
  4. Module loads. Are the known MSBuild.exe modules being loaded by a non-standard application? Is MSbuild loading any suspicious .DLLs?\
  5. Network connections. Any network connections? Review the reputation of the remote IP or domain.
    Retrieval of script code
    The objective of this step is to confirm the executed script code is benign or malicious.

Detections

Name Technique Type
Suspicious MSBuild Rename MSBuild, Rename System Utilities TTP
Suspicious MSBuild Spawn MSBuild TTP
Suspicious msbuild path MSBuild, Rename System Utilities TTP

Reference

source | version: 1