Microsoft Build Engine Started by a Script Process

calendar May 22, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Defense Evasion Tactic: Execution Data Source: Elastic Defend  ·
Share on: linkedin copy

An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/03/25"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This
11behavior is unusual and is sometimes used by malicious payloads.
12"""
13false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
14from = "now-9m"
15index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Microsoft Build Engine Started by a Script Process"
19risk_score = 21
20rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2"
21setup = """## Setup
22
23If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
24events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
25Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
26`event.ingested` to @timestamp.
27For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
28"""
29severity = "low"
30tags = [
31    "Domain: Endpoint",
32    "OS: Windows",
33    "Use Case: Threat Detection",
34    "Tactic: Defense Evasion",
35    "Tactic: Execution",
36    "Data Source: Elastic Defend",
37]
38timestamp_override = "event.ingested"
39type = "new_terms"
40
41query = '''
42host.os.type:windows and event.category:process and event.type:start and (
43  process.name.caseless:"msbuild.exe" or process.pe.original_file_name:"MSBuild.exe") and 
44  process.parent.name:("cmd.exe" or "powershell.exe" or "pwsh.exe" or "powershell_ise.exe" or "cscript.exe" or
45    "wscript.exe" or "mshta.exe")
46'''
47
48
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1127"
53name = "Trusted Developer Utilities Proxy Execution"
54reference = "https://attack.mitre.org/techniques/T1127/"
55[[rule.threat.technique.subtechnique]]
56id = "T1127.001"
57name = "MSBuild"
58reference = "https://attack.mitre.org/techniques/T1127/001/"
59
60
61
62[rule.threat.tactic]
63id = "TA0005"
64name = "Defense Evasion"
65reference = "https://attack.mitre.org/tactics/TA0005/"
66[[rule.threat]]
67framework = "MITRE ATT&CK"
68[[rule.threat.technique]]
69id = "T1059"
70name = "Command and Scripting Interpreter"
71reference = "https://attack.mitre.org/techniques/T1059/"
72[[rule.threat.technique.subtechnique]]
73id = "T1059.001"
74name = "PowerShell"
75reference = "https://attack.mitre.org/techniques/T1059/001/"
76
77[[rule.threat.technique.subtechnique]]
78id = "T1059.003"
79name = "Windows Command Shell"
80reference = "https://attack.mitre.org/techniques/T1059/003/"
81
82[[rule.threat.technique.subtechnique]]
83id = "T1059.005"
84name = "Visual Basic"
85reference = "https://attack.mitre.org/techniques/T1059/005/"
86
87
88
89[rule.threat.tactic]
90id = "TA0002"
91name = "Execution"
92reference = "https://attack.mitre.org/tactics/TA0002/"
93
94[rule.new_terms]
95field = "new_terms_fields"
96value = ["host.id", "user.name", "process.command_line"]
97[[rule.new_terms.history_window_start]]
98field = "history_window_start"
99value = "now-14d"

Related rules

to-top