This detection rule identifies potential credential access activities involving the Microsoft Build Engine (MSBuild). MSBuild can execute scripts and code, making it a target for adversaries seeking to exploit its functionality for malicious gain. Specifically, the rule monitors for the loading of specific dynamic link libraries (DLLs) commonly associated with credential dumping, such as 'vaultcli.dll' and 'SAMLib.DLL'. The sequence event captures the invocation of the MSBuild process alongside the loading of these DLLs, signaling a possible attacker maneuver. The rule emphasizes the need to investigate the process execution chain, check for unusual account behaviors, and analyze related activities within the same time frame to confirm a security incident. Recommendations for response include immediate isolation of affected hosts, thorough malware scanning, and credential management to limit exposure in case of identified compromises.