A newer version is available. For the latest information, see the
current release documentation.
Microsoft Build Engine Loading Windows Credential Librariesedit
An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.
Rule type: query
Rule indices:
- winlogbeat-*
Severity: high
Risk score: 73
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum signals per execution: 100
Tags:
- Elastic
- Windows
Version: 1
Added (Elastic Stack release): 7.7.0
Potential false positivesedit
The Build Engine is commonly used by Windows developers but use by non-engineers is unusual.
Rule queryedit
(winlog.event_data.OriginalFileName: (vaultcli.dll or SAMLib.DLL) or dll.name: (vaultcli.dll or SAMLib.DLL)) and process.name: MSBuild.exe and event.action: "Image loaded (rule: ImageLoad)"
Threat mappingedit
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: Credential Dumping
- ID: T1003
- Reference URL: https://attack.mitre.org/techniques/T1003/