Microsoft Build Engine Loading Windows Credential Libraries

Elastic Stack Serverless Security

An instance of the Microsoft Build Engine (MSBuild) loaded dynamically linked libraries (DLLs) responsible for Windows credential management. This technique is sometimes used for credential dumping.

Rule type: eql

Rule indices:

• winlogbeat-*
• logs-endpoint.events.*
• logs-windows.*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

• Elastic
• Host
• Windows
• Threat Detection
• Credential Access

Version: 9

Rule authors:

• Elastic

Rule license: Elastic License v2

sequence by process.entity_id
 [process where event.type == "start" and (process.name : "MSBuild.exe" or process.pe.original_file_name == "MSBuild.exe")]
 [library where dll.name : ("vaultcli.dll", "SAMLib.DLL")]

Framework: MITRE ATT&CKTM

• Tactic:

  • Name: Credential Access
  • ID: TA0006
  • Reference URL: https://attack.mitre.org/tactics/TA0006/

• Technique:

  • Name: OS Credential Dumping
  • ID: T1003
  • Reference URL: https://attack.mitre.org/techniques/T1003/