Use of MSBuild as LOLBin

Hunt Hypothesis

The Use of MSBuild as LOLBin detects adversaries leveraging MSBuild.exe as a command-and-control tool to exfiltrate data and establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage Macaw ransomware activity and disrupt its deployment before significant damage occurs.

KQL Query

DeviceProcessEvents 
| where InitiatingProcessFileName =~ "wmiprvse.exe" 
| where FileName =~ "msbuild.exe" and ProcessCommandLine has "programdata"

Analytic Rule Definition

id: 166c732a-a02e-4c7a-a441-cb74fe3c3f2d
name: Use of MSBuild as LOLBin
description: |
  Prior to deploying Macaw ransomware in an organization, the adversary frequently uses MSBuild.exe as a LOLBin to communicate with the C2.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Command and control
query: |
  DeviceProcessEvents 
  | where InitiatingProcessFileName =~ "wmiprvse.exe" 
  | where FileName =~ "msbuild.exe" and ProcessCommandLine has "programdata"

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Command and control

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Macaw Ransomware/Use of MSBuild as LOLBin.yaml)

False Positive Guidance

Scenario: Scheduled Build Process Using MSBuild
Description: A legitimate CI/CD pipeline uses MSBuild.exe to compile .NET projects as part of an automated build job.
Filter/Exclusion: process.parent_process_name == "VisualStudio.exe" OR process.parent_process_name == "dotnet.exe" OR process.name == "msbuild.exe" AND process.command_line LIKE "%/p:Configuration=Release%"
Scenario: System Update or Patching Task
Description: A system administrator uses MSBuild.exe to execute a custom script that updates or patches software, which may involve invoking MSBuild as part of a deployment task.
Filter/Exclusion: process.parent_process_name == "task scheduler" OR process.parent_process_name == "schtasks.exe" OR process.command_line LIKE "%update%"
Scenario: Internal Tool for Code Generation
Description: A development team uses a custom internal tool that leverages MSBuild.exe to generate code or configuration files during development.
Filter/Exclusion: process.name == "msbuild.exe" AND process.command_line LIKE "%/t:GenerateCode%" AND process.parent_process_name == "VisualStudio.exe"
Scenario: Administrative Task for Configuration Management
Description: An admin uses MSBuild.exe to run a configuration management script that updates application settings across multiple servers.
Filter/Exclusion: process.name == "msbuild.exe" AND process.command_line LIKE "%/t:ConfigureSettings%" AND process.parent_process_name == "PowerShell.exe" AND process.parent_process_command_line LIKE "%-Command%"
Scenario: Legacy Application Deployment
Description: An organization uses MSBuild.exe to deploy a legacy .NET application that is no longer actively maintained but still runs in production.
Filter/Exclusion: `process.name == “msbuild.exe” AND process