IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Microsoft Build Engine Loading Windows Credential Librariesedit
An instance of the Microsoft Build Engine (MSBuild) loaded dynamically linked libraries (DLLs) responsible for Windows credential management. This technique is sometimes used for credential dumping.
Rule type: eql
Rule indices:
- winlogbeat-*
- logs-endpoint.events.*
- logs-windows.*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References: None
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Credential Access
Version: 9
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule queryedit
sequence by process.entity_id [process where event.type == "start" and (process.name : "MSBuild.exe" or process.pe.original_file_name == "MSBuild.exe")] [library where dll.name : ("vaultcli.dll", "SAMLib.DLL")]
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: OS Credential Dumping
- ID: T1003
- Reference URL: https://attack.mitre.org/techniques/T1003/