Microsoft Build Engine Started by a System Process

An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/03/25"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management
 13Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.
 14"""
 15false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
 16from = "now-9m"
 17index = [
 18    "winlogbeat-*",
 19    "logs-endpoint.events.process-*",
 20    "logs-windows.forwarded*",
 21    "logs-windows.sysmon_operational-*",
 22    "endgame-*",
 23    "logs-system.security*",
 24    "logs-m365_defender.event-*",
 25    "logs-sentinel_one_cloud_funnel.*",
 26    "logs-crowdstrike.fdr*",
 27]
 28language = "eql"
 29license = "Elastic License v2"
 30name = "Microsoft Build Engine Started by a System Process"
 31risk_score = 47
 32rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3"
 33severity = "medium"
 34tags = [
 35    "Domain: Endpoint",
 36    "OS: Windows",
 37    "Use Case: Threat Detection",
 38    "Tactic: Defense Evasion",
 39    "Tactic: Execution",
 40    "Data Source: Elastic Endgame",
 41    "Data Source: Elastic Defend",
 42    "Data Source: System",
 43    "Data Source: Microsoft Defender for Endpoint",
 44    "Data Source: Sysmon",
 45    "Data Source: SentinelOne",
 46    "Data Source: Crowdstrike",
 47    "Resources: Investigation Guide",
 48]
 49timestamp_override = "event.ingested"
 50type = "eql"
 51
 52query = '''
 53process where host.os.type == "windows" and event.type == "start" and
 54  process.name : "MSBuild.exe" and
 55  process.parent.name : ("explorer.exe", "wmiprvse.exe")
 56'''
 57note = """## Triage and analysis
 58
 59> **Disclaimer**:
 60> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 61
 62### Investigating Microsoft Build Engine Started by a System Process
 63
 64The Microsoft Build Engine (MSBuild) is a platform for building applications, typically invoked by developers. However, adversaries exploit it to execute malicious code, leveraging its trusted status to bypass security measures. The detection rule identifies unusual MSBuild activity initiated by system processes like Explorer or WMI, which may indicate an attempt to evade defenses and execute unauthorized actions.
 65
 66### Possible investigation steps
 67
 68- Review the process tree to understand the parent-child relationship, focusing on instances where MSBuild.exe is started by explorer.exe or wmiprvse.exe.
 69- Check the command line arguments used to start MSBuild.exe for any suspicious or unusual parameters that could indicate malicious activity.
 70- Investigate the user account associated with the process to determine if it aligns with expected behavior or if it might be compromised.
 71- Examine recent file modifications or creations in directories commonly used by MSBuild to identify any unauthorized or unexpected files.
 72- Correlate the event with other security alerts or logs from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context on the activity.
 73- Assess the network activity of the host during the time of the alert to identify any potential data exfiltration or communication with known malicious IP addresses.
 74
 75### False positive analysis
 76
 77- Legitimate software installations or updates may trigger MSBuild.exe to start from Explorer or WMI. Monitor these events and verify if they coincide with known software changes.
 78- Development environments where MSBuild is frequently used might see this behavior as part of normal operations. Identify and document these environments to create exceptions for known development machines.
 79- Automated scripts or administrative tools that leverage MSBuild for legitimate tasks can cause false positives. Review and whitelist these scripts or tools if they are verified as non-malicious.
 80- System maintenance tasks initiated by IT personnel might use MSBuild in a manner that appears suspicious. Coordinate with IT to understand routine maintenance activities and exclude them from alerts.
 81- Security software or monitoring tools that interact with MSBuild for scanning or analysis purposes should be identified and excluded from triggering alerts.
 82
 83### Response and remediation
 84
 85- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement.
 86- Terminate the MSBuild.exe process if it is confirmed to be executing unauthorized or malicious code.
 87- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious payloads or associated files.
 88- Review and analyze the parent processes (explorer.exe or wmiprvse.exe) to determine if they have been compromised or are executing other suspicious activities.
 89- Restore the system from a known good backup if any critical system files or applications have been altered or corrupted.
 90- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 91- Implement enhanced monitoring and logging for MSBuild.exe and related processes to detect similar activities in the future, ensuring alerts are configured for rapid response."""
 92
 93
 94[[rule.threat]]
 95framework = "MITRE ATT&CK"
 96[[rule.threat.technique]]
 97id = "T1127"
 98name = "Trusted Developer Utilities Proxy Execution"
 99reference = "https://attack.mitre.org/techniques/T1127/"
100[[rule.threat.technique.subtechnique]]
101id = "T1127.001"
102name = "MSBuild"
103reference = "https://attack.mitre.org/techniques/T1127/001/"
104
105
106
107[rule.threat.tactic]
108id = "TA0005"
109name = "Defense Evasion"
110reference = "https://attack.mitre.org/tactics/TA0005/"
111[[rule.threat]]
112framework = "MITRE ATT&CK"
113
114[rule.threat.tactic]
115id = "TA0002"
116name = "Execution"
117reference = "https://attack.mitre.org/tactics/TA0002/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

The Microsoft Build Engine (MSBuild) is a platform for building applications, typically invoked by developers. However, adversaries exploit it to execute malicious code, leveraging its trusted status to bypass security measures. The detection rule identifies unusual MSBuild activity initiated by system processes like Explorer or WMI, which may indicate an attempt to evade defenses and execute unauthorized actions.

  • Review the process tree to understand the parent-child relationship, focusing on instances where MSBuild.exe is started by explorer.exe or wmiprvse.exe.
  • Check the command line arguments used to start MSBuild.exe for any suspicious or unusual parameters that could indicate malicious activity.
  • Investigate the user account associated with the process to determine if it aligns with expected behavior or if it might be compromised.
  • Examine recent file modifications or creations in directories commonly used by MSBuild to identify any unauthorized or unexpected files.
  • Correlate the event with other security alerts or logs from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context on the activity.
  • Assess the network activity of the host during the time of the alert to identify any potential data exfiltration or communication with known malicious IP addresses.
  • Legitimate software installations or updates may trigger MSBuild.exe to start from Explorer or WMI. Monitor these events and verify if they coincide with known software changes.
  • Development environments where MSBuild is frequently used might see this behavior as part of normal operations. Identify and document these environments to create exceptions for known development machines.
  • Automated scripts or administrative tools that leverage MSBuild for legitimate tasks can cause false positives. Review and whitelist these scripts or tools if they are verified as non-malicious.
  • System maintenance tasks initiated by IT personnel might use MSBuild in a manner that appears suspicious. Coordinate with IT to understand routine maintenance activities and exclude them from alerts.
  • Security software or monitoring tools that interact with MSBuild for scanning or analysis purposes should be identified and excluded from triggering alerts.
  • Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement.
  • Terminate the MSBuild.exe process if it is confirmed to be executing unauthorized or malicious code.
  • Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious payloads or associated files.
  • Review and analyze the parent processes (explorer.exe or wmiprvse.exe) to determine if they have been compromised or are executing other suspicious activities.
  • Restore the system from a known good backup if any critical system files or applications have been altered or corrupted.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
  • Implement enhanced monitoring and logging for MSBuild.exe and related processes to detect similar activities in the future, ensuring alerts are configured for rapid response.

Related rules

to-top