New

The executive guide to generative AI

Read more

Process Injection by the Microsoft Build Engine

edit

Process Injection by the Microsoft Build Engine

edit

An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.

Rule type: query

Rule indices:

  • winlogbeat-*
  • logs-windows.*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: None (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Defense Evasion
  • Sysmon Only

Version: 103

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
process.name:MSBuild.exe and host.os.type:windows and event.action:"CreateRemoteThread detected (rule: CreateRemoteThread)"

Framework: MITRE ATT&CKTM

On this page

Was this helpful?
Feedback