Microsoft Build Engine Started by a System Process

calendar Nov 4, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Defense Evasion Tactic: Execution Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: System Data Source: Microsoft Defender for Endpoint Data Source: Sysmon Data Source: SentinelOne Data Source: Crowdstrike  ·
Share on: linkedin copy

An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/03/25"
 3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 4maturity = "production"
 5updated_date = "2024/10/31"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management
13Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.
14"""
15false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
16from = "now-9m"
17index = [
18    "winlogbeat-*",
19    "logs-endpoint.events.process-*",
20    "logs-windows.forwarded*",
21    "logs-windows.sysmon_operational-*",
22    "endgame-*",
23    "logs-system.security*",
24    "logs-m365_defender.event-*",
25    "logs-sentinel_one_cloud_funnel.*",
26    "logs-crowdstrike.fdr*",
27]
28language = "eql"
29license = "Elastic License v2"
30name = "Microsoft Build Engine Started by a System Process"
31risk_score = 47
32rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3"
33severity = "medium"
34tags = [
35    "Domain: Endpoint",
36    "OS: Windows",
37    "Use Case: Threat Detection",
38    "Tactic: Defense Evasion",
39    "Tactic: Execution",
40    "Data Source: Elastic Endgame",
41    "Data Source: Elastic Defend",
42    "Data Source: System",
43    "Data Source: Microsoft Defender for Endpoint",
44    "Data Source: Sysmon",
45    "Data Source: SentinelOne",
46    "Data Source: Crowdstrike",
47]
48timestamp_override = "event.ingested"
49type = "eql"
50
51query = '''
52process where host.os.type == "windows" and event.type == "start" and
53  process.name : "MSBuild.exe" and
54  process.parent.name : ("explorer.exe", "wmiprvse.exe")
55'''
56
57
58[[rule.threat]]
59framework = "MITRE ATT&CK"
60[[rule.threat.technique]]
61id = "T1127"
62name = "Trusted Developer Utilities Proxy Execution"
63reference = "https://attack.mitre.org/techniques/T1127/"
64[[rule.threat.technique.subtechnique]]
65id = "T1127.001"
66name = "MSBuild"
67reference = "https://attack.mitre.org/techniques/T1127/001/"
68
69
70
71[rule.threat.tactic]
72id = "TA0005"
73name = "Defense Evasion"
74reference = "https://attack.mitre.org/tactics/TA0005/"
75[[rule.threat]]
76framework = "MITRE ATT&CK"
77
78[rule.threat.tactic]
79id = "TA0002"
80name = "Execution"
81reference = "https://attack.mitre.org/tactics/TA0002/"

Related rules

to-top