Hunting .Net Malware
To hunt for msbuild execution, focus on Sysmon logs where the image of the process contains "msbuild.exe". Msbuild is being used by attackers to compile and execute code (https://lolbas-project.github
Last updated
To hunt for msbuild execution, focus on Sysmon logs where the image of the process contains "msbuild.exe". Msbuild is being used by attackers to compile and execute code (https://lolbas-project.github
Last updated
A generic hunt is to look for any process creation, where the image of the process contains "msbuild.exe":
To parse the logs using PowerShell and search for the presence of MSBuild, use the following PowerShell command ("$_Properties[4]"
refers to the Image name field in Sysmon log with Event ID 1):
The output:
The filename itself, alone, is a weak indicator as its easy to circumvent by simply renaming it. There are other options available, ranging from the file hash, other known fields or parameters. Observing MSBuild on a regular Windows 10 machine,
well notice that the "Description" field is set to "MSBuild.exe". Let's utilize PowerShell and look for that in our data set ("$_Properties[6]" represents to the Description field in Sysmon log with Event ID 1):
Note that the binary image is "C:\Users\Public\Downloads\Windows_Reporting.exe" which starts with a command line parameter of "Windows_Reporting.xml".
Search for the presence of CMD (Command Prompt), use the following PowerShell command ("$_Properties[4]" refers to the Image name field in Sysmon log with Event ID 1): now focusing on the ParentImage and ParentCommandLine parameters:
The parent image is "mshta.exe", which has executed "report.hta". Based on the temporary location (of Microsoft Edge), we can conclude that the file was executed in a browser, which then started Windows_Reporting.exe.
The initial stager is an HTA file, however we are still not sure how and/or why MSBuild is renamed to Windows_Reporting.exe and located in an odd location.
we know that MSBuild is present in an odd location under different name, and that an HTA file was used to execute the file. Since we know the file is called "Windows_Reporting.exe", let's look at all process creation events that have referenced this file with the following command ("$_.Properties[10]" represents to the CommandLine field in Sysmon log with Event ID 1):
From the first task, we know that Windows_Reporting.exe was executed with command line argument of "Windows_Reporting.xml". To find out how that XML file was created, we will look into Sysmon event 11 - File create event. Execute the following command ("$_.Properties[5]" represents to the TargetFilename field in Sysmon log with Event ID 11):
Let's review the information that Att&ck has on certutil.exe here. It states "certutil can be used to download files from a given URL". Following this information, we can dig up process creation events with certutil.exe with the following command:
Reviewing the discovered Windows_Reporting.xml reveals the attacker's C2 IP and Port:
The same can be observed by Sysmon logs, in particular event id 3 filtering for Windows_Reporting.exe with the following command
Overall, there are 51 connections.
