IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Microsoft Build Engine Loading Windows Credential Libraries
editMicrosoft Build Engine Loading Windows Credential Libraries
editAn instance of the Microsoft Build Engine (MSBuild) loaded dynamically linked libraries (DLLs) responsible for Windows credential management. This technique is sometimes used for credential dumping.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References: None
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Credential Access
Version: 9
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editsequence by process.entity_id [process where event.type == "start" and (process.name : "MSBuild.exe" or process.pe.original_file_name == "MSBuild.exe")] [library where dll.name : ("vaultcli.dll", "SAMLib.DLL")]
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: OS Credential Dumping
- ID: T1003
- Reference URL: https://attack.mitre.org/techniques/T1003/