Potential Credential Access via Trusted Developer Utility

  1[metadata]
  2creation_date = "2020/03/25"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2026/04/22"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows
 11credential management. This technique is sometimes used for credential dumping.
 12"""
 13false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
 14from = "now-9m"
 15index = [
 16    "winlogbeat-*",
 17    "logs-endpoint.events.process-*",
 18    "logs-endpoint.events.library-*",
 19    "logs-windows.sysmon_operational-*",
 20]
 21language = "eql"
 22license = "Elastic License v2"
 23name = "Potential Credential Access via Trusted Developer Utility"
 24references = [
 25    "https://lolbas-project.github.io/lolbas/Binaries/Msbuild/",
 26]
 27risk_score = 73
 28rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5"
 29severity = "high"
 30tags = [
 31    "Domain: Endpoint",
 32    "OS: Windows",
 33    "Use Case: Threat Detection",
 34    "Tactic: Credential Access",
 35    "Tactic: Defense Evasion",
 36    "Resources: Investigation Guide",
 37    "Data Source: Elastic Defend",
 38    "Data Source: Sysmon",
 39]
 40timestamp_override = "event.ingested"
 41type = "eql"
 42
 43query = '''
 44sequence by process.entity_id
 45 [process where host.os.type == "windows" and event.type == "start" and (process.name : "MSBuild.exe" or process.pe.original_file_name == "MSBuild.exe")]
 46 [library where host.os.type == "windows" and dll.name : ("vaultcli.dll", "SAMLib.DLL")]
 47'''
 48
 49note = """## Triage and analysis
 50
 51### Investigating Potential Credential Access via Trusted Developer Utility
 52
 53#### Possible investigation steps
 54
 55- What do the matched source events show about the MSBuild instance?
 56  - Focus: Timeline source events for `process.entity_id` -- the start-event `process.executable` and `process.command_line` plus the library-stage `dll.path`.
 57  - Implication: more concerning when MSBuild loads vaultcli.dll or SAMLib.dll from an unusual path or unexpected context; more explainable when Timeline shows a recognized build task loading the library from the default Windows system directory.
 58
 59- Is the MSBuild binary and launch chain expected for this host?
 60  - Focus: `process.executable`, `process.pe.original_file_name`, `process.code_signature.subject_name`, and `process.parent.executable`.
 61  - Implication: more concerning when MSBuild is renamed, unsigned, user-writable, outside expected .NET Framework or Visual Studio build roots, or launched by Office, a script host, an archive utility, or another unexpected parent.
 62
 63- Does the command line or project path suggest transient or user-delivered build content?
 64  - Focus: `process.command_line` and `process.working_directory`, especially .csproj, .xml, .proj, /logger, or @ response-file paths in temp folders, downloads, removable media, user-profile paths, or network shares.
 65  - Implication: supports concern when MSBuild runs user-delivered project content, logger DLLs, response files, or inline tasks outside normal compilation; less suspicious when the project resides in a stable source-tree or CI workspace and the build arguments match a recurring compilation pattern.
 66
 67- Does the loaded credential library path, trust, and recency fit legitimate development behavior?
 68  - Focus: `dll.name`, `dll.path`, `dll.code_signature.trusted`, and `dll.Ext.relative_file_creation_time`.
 69  - Implication: supports concern when vaultcli or SAMLib loads from user-writable or transient paths, arrives unsigned, or was created shortly before the load; weaker support when the path is the expected Windows system directory and project context supports a recognized credential-management test.
 70
 71- Do file writes or child processes show MSBuild acting as a launcher instead of a compiler?
 72  - Focus: file activity from `process.entity_id`: written `file.path` values, especially payloads, scripts, or compiled artifacts in user-writable paths. $investigate_2
 73  - Hint: review child starts where `process.parent.entity_id` equals the MSBuild entity; shell or script-engine children are stronger than normal compiler toolchain children. $investigate_3
 74  - Implication: suggests proxy execution when MSBuild drops payloads, stages scripts or compiled artifacts, or spawns shells or script engines. Missing file telemetry is unresolved, not benign.
 75
 76- Do MSBuild or its child processes attempt off-host staging?
 77  - Focus: same-host connection events for the MSBuild `process.entity_id` or direct children where `process.parent.entity_id` matches the MSBuild entity, with `destination.ip` and `destination.port`. $investigate_4
 78  - Implication: supports containment when suspicious project, DLL, file, or child-process evidence is followed by outbound staging; missing network telemetry is unresolved, not benign.
 79
 80- Does the user and host context fit developer or build-runner activity?
 81  - Focus: `user.id`, `user.domain`, `process.Ext.session_info.logon_type`, `host.id`, and `host.name`; compare prior source events for the same user-host cohort.
 82  - Implication: risk rises when the user-host pair has no recurring build-tool history or when the session type is unexpected; lower only when the user, host, session, and source events fit a bounded developer or build-service pattern.
 83
 84- If local MSBuild evidence is still suspicious, does related alert history show the same user or host reusing trusted-utility abuse patterns?
 85  - Focus: related alerts for `user.id`, especially trusted-utility abuse, credential access, lateral movement, or launches of "InstallUtil", "RegAsm", "MSHTA", or similar signed proxies; inspect their source events before comparing project paths or destinations. $investigate_0
 86  - Hint: compare `host.id` alert history to assess whether activity is confined to this asset. $investigate_1
 87  - Implication: suggests broader scope when the same user or host shows trusted-utility abuse, persistence, staging, or credential-access alerts; stays localized when history is limited to the same recognized build or test workflow on this asset.
 88
 89- Escalate when MSBuild identity, project path, loaded library, follow-on behavior, user-host context, or alert scope show unrecognized use, credential-library loads from non-standard paths, or payload behavior; close only when all jointly fit a recognized build or test scenario; preserve and escalate when evidence is mixed or visibility incomplete.
 90
 91### False positive analysis
 92
 93- Authorized credential-management tests, security-tool validation, or build pipelines compiling code that uses Windows credential APIs can legitimately trigger vaultcli.dll or SAMLib.dll loads. Confirm only when `process.command_line`, project path, `dll.path`, `process.executable`, `process.parent.executable`, `user.id`, and `host.id` align with that same recognized lab or build-pipeline workflow. If records are unavailable, require the same process-identity fields, loaded `dll.path`, and `user.id`/`host.id` to recur across prior alerts before treating the activity as benign.
 94- Before creating an exception, validate that `process.executable`, `process.code_signature.subject_name`, `process.parent.executable`, stable `process.command_line` pattern, loaded `dll.path`, `user.id`, and `host.id` recur across prior alerts from this rule. Build the exception from that minimum confirmed workflow pattern. Avoid exceptions on `process.name` alone, the library name alone, or the host alone.
 95
 96### Response and remediation
 97
 98- If confirmed benign, reverse temporary containment and record the confirmed explanation in `process.executable`, `process.parent.executable`, project path from `process.command_line`, loaded `dll.path`, `user.id`, and `host.id`. Create an exception only if that same pattern recurs consistently across prior alerts from this rule.
 99- If suspicious but unconfirmed, preserve a case export for the recovered MSBuild process, its command line, project/task files, loaded credential DLL, dropped artifacts, child-process lineage, and confirmed destinations. Apply reversible containment first -- temporary destination restrictions or heightened monitoring on `host.id` and `user.id` -- and escalate to host isolation only when preserved evidence shows meaningful staging or payload risk.
100- If confirmed malicious, use endpoint response actions to isolate the host and terminate MSBuild or its staging child processes after preserving the recovered MSBuild and parent entity IDs, project files, compiled artifacts, child processes, confirmed destinations, and loaded DLL path. If direct endpoint response is unavailable, hand off that artifact set immediately to the team that can isolate the host or block the destinations.
101- Eradicate the malicious project files, inline tasks, payloads, persistence artifacts, and secondary tooling uncovered during the investigation, then remediate the delivery or execution-control gap that allowed MSBuild to proxy the credential-access behavior.
102- Investigate credential exposure based on what the project targeted: review Windows Credential Manager, saved secrets, and local-account exposure on the host, and rotate or revoke affected credentials according to the recovered artifacts and follow-on activity.
103- Review related hosts for the same project-path pattern, library-load combination, child-process behavior, and adjacent trusted-developer-utility abuse before deleting files or removing tooling, and retain process, library, file, and network telemetry needed for future cases.
104"""
105
106setup = """## Setup
107
108This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
109
110Setup instructions: https://ela.st/install-elastic-defend
111
112### Additional data sources
113
114This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
115
116- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
117- [Sysmon Event ID 7 - Image Loaded](https://ela.st/sysmon-event-7-setup)
118"""
119
120[rule.investigation_fields]
121field_names = [
122    "@timestamp",
123    "host.id",
124    "user.name",
125    "user.id",
126    "process.entity_id",
127    "process.executable",
128    "process.command_line",
129    "process.working_directory",
130    "process.parent.executable",
131    "process.code_signature.subject_name",
132    "process.Ext.session_info.logon_type",
133    "dll.name",
134    "dll.path",
135    "dll.code_signature.trusted",
136    "dll.Ext.relative_file_creation_time",
137]
138
139[[transform.investigate]]
140label = "Alerts associated with the user"
141description = ""
142providers = [
143  [
144    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
145    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
146  ]
147]
148relativeFrom = "now-48h/h"
149relativeTo = "now"
150
151[[transform.investigate]]
152label = "Alerts associated with the host"
153description = ""
154providers = [
155  [
156    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
157    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
158  ]
159]
160relativeFrom = "now-48h/h"
161relativeTo = "now"
162
163[[transform.investigate]]
164label = "File activity for the MSBuild process and children"
165description = ""
166providers = [
167  [
168    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
169    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
170    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
171  ],
172  [
173    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
174    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
175    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
176  ]
177]
178relativeFrom = "now-1h"
179relativeTo = "now"
180
181[[transform.investigate]]
182label = "Child processes spawned by MSBuild"
183description = ""
184providers = [
185  [
186    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
187    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
188    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" }
189  ]
190]
191relativeFrom = "now-1h"
192relativeTo = "now"
193
194[[transform.investigate]]
195label = "Network activity for the MSBuild process and children"
196description = ""
197providers = [
198  [
199    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
200    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
201    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }
202  ],
203  [
204    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
205    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
206    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }
207  ]
208]
209relativeFrom = "now-1h"
210relativeTo = "now"
211
212[[rule.threat]]
213framework = "MITRE ATT&CK"
214[[rule.threat.technique]]
215id = "T1003"
216name = "OS Credential Dumping"
217reference = "https://attack.mitre.org/techniques/T1003/"
218[[rule.threat.technique.subtechnique]]
219id = "T1003.002"
220name = "Security Account Manager"
221reference = "https://attack.mitre.org/techniques/T1003/002/"
222
223[[rule.threat.technique]]
224id = "T1555"
225name = "Credentials from Password Stores"
226reference = "https://attack.mitre.org/techniques/T1555/"
227[[rule.threat.technique.subtechnique]]
228id = "T1555.004"
229name = "Windows Credential Manager"
230reference = "https://attack.mitre.org/techniques/T1555/004/"
231
232[rule.threat.tactic]
233id = "TA0006"
234name = "Credential Access"
235reference = "https://attack.mitre.org/tactics/TA0006/"
236[[rule.threat]]
237framework = "MITRE ATT&CK"
238[[rule.threat.technique]]
239id = "T1127"
240name = "Trusted Developer Utilities Proxy Execution"
241reference = "https://attack.mitre.org/techniques/T1127/"
242[[rule.threat.technique.subtechnique]]
243id = "T1127.001"
244name = "MSBuild"
245reference = "https://attack.mitre.org/techniques/T1127/001/"
246
247[rule.threat.tactic]
248id = "TA0005"
249name = "Defense Evasion"
250reference = "https://attack.mitre.org/tactics/TA0005/"