The SIEM app is now a part of the Elastic Security solution. Click here to view the current documentation.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.

« Microsoft Build Engine Loading Windows Credential Libraries Microsoft Build Engine Started by a Script Process »

› › ›

Microsoft Build Engine Started an Unusual Process

edit

Microsoft Build Engine Started an Unusual Process

edit

An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.

Rule type: query

Rule indices:

winlogbeat-*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100

References:

https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html

Tags:

Elastic
Windows

Version: 1

Added (Elastic Stack release): 7.7.0

Potential false positives

edit

The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user, or host name.

Rule query

edit

process.parent.name:MSBuild.exe and process.name:(csc.exe or
iexplore.exe or powershell.exe)

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Compile After Delivery
- ID: T1500
- Reference URL: https://attack.mitre.org/techniques/T1500/

« Microsoft Build Engine Loading Windows Credential Libraries Microsoft Build Engine Started by a Script Process »