Trusted Developer Application Usage
Identifies possibly suspicious activity using trusted Windows developer activity.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3deprecation_date = "2021/04/15"
4maturity = "deprecated"
5updated_date = "2021/04/15"
6
7[rule]
8author = ["Elastic"]
9description = "Identifies possibly suspicious activity using trusted Windows developer activity."
10false_positives = ["These programs may be used by Windows developers but use by non-engineers is unusual."]
11from = "now-9m"
12index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
13language = "kuery"
14license = "Elastic License v2"
15name = "Trusted Developer Application Usage"
16risk_score = 21
17rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1"
18severity = "low"
19tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
20timestamp_override = "event.ingested"
21type = "query"
22
23query = '''
24event.category:process and event.type:(start or process_started) and process.name:(MSBuild.exe or msxsl.exe)
25'''
26
27
28[[rule.threat]]
29framework = "MITRE ATT&CK"
30[[rule.threat.technique]]
31id = "T1127"
32name = "Trusted Developer Utilities Proxy Execution"
33reference = "https://attack.mitre.org/techniques/T1127/"
34
35
36[rule.threat.tactic]
37id = "TA0005"
38name = "Defense Evasion"
39reference = "https://attack.mitre.org/tactics/TA0005/"
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42
43[rule.threat.tactic]
44id = "TA0002"
45name = "Execution"
46reference = "https://attack.mitre.org/tactics/TA0002/"