Microsoft Build Engine Started by a Script Process
An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/03/25"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
6min_stack_version = "8.6.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This
13behavior is unusual and is sometimes used by malicious payloads.
14"""
15false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Microsoft Build Engine Started by a Script Process"
21risk_score = 21
22rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2"
23setup = """## Setup
24
25If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
26events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
27Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
28`event.ingested` to @timestamp.
29For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
30"""
31severity = "low"
32tags = ["Domain: Endpoint",
33 "OS: Windows",
34 "Use Case: Threat Detection",
35 "Tactic: Defense Evasion",
36 "Tactic: Execution",
37 "Data Source: Elastic Defend"
38 ]
39timestamp_override = "event.ingested"
40type = "new_terms"
41
42query = '''
43host.os.type:windows and event.category:process and event.type:start and (
44 process.name.caseless:"msbuild.exe" or process.pe.original_file_name:"MSBuild.exe") and
45 process.parent.name:("cmd.exe" or "powershell.exe" or "pwsh.exe" or "powershell_ise.exe" or "cscript.exe" or
46 "wscript.exe" or "mshta.exe")
47'''
48
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51
52[[rule.threat.technique]]
53id = "T1127"
54name = "Trusted Developer Utilities Proxy Execution"
55reference = "https://attack.mitre.org/techniques/T1127/"
56
57[[rule.threat.technique.subtechnique]]
58id = "T1127.001"
59name = "MSBuild"
60reference = "https://attack.mitre.org/techniques/T1127/001/"
61
62[rule.threat.tactic]
63id = "TA0005"
64name = "Defense Evasion"
65reference = "https://attack.mitre.org/tactics/TA0005/"
66[[rule.threat]]
67framework = "MITRE ATT&CK"
68
69[[rule.threat.technique]]
70id = "T1059"
71name = "Command and Scripting Interpreter"
72reference = "https://attack.mitre.org/techniques/T1059/"
73[[rule.threat.technique.subtechnique]]
74id = "T1059.001"
75name = "PowerShell"
76reference = "https://attack.mitre.org/techniques/T1059/001/"
77[[rule.threat.technique.subtechnique]]
78id = "T1059.003"
79name = "Windows Command Shell"
80reference = "https://attack.mitre.org/techniques/T1059/003/"
81[[rule.threat.technique.subtechnique]]
82id = "T1059.005"
83name = "Visual Basic"
84reference = "https://attack.mitre.org/techniques/T1059/005/"
85
86
87
88[rule.threat.tactic]
89id = "TA0002"
90name = "Execution"
91reference = "https://attack.mitre.org/tactics/TA0002/"
92
93[rule.new_terms]
94field = "new_terms_fields"
95value = ["host.id", "user.name", "process.command_line"]
96
97[[rule.new_terms.history_window_start]]
98field = "history_window_start"
99value = "now-14d"
Related rules
- Clearing Windows Console History
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Control Panel Process with Unusual Arguments
- Disabling Windows Defender Security Settings via PowerShell