Microsoft Build Engine Started by a System Process
An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/03/25"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/02/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management
13Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.
14"""
15false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Microsoft Build Engine Started by a System Process"
21note = """## Setup
22
23If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
24"""
25risk_score = 47
26rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3"
27severity = "medium"
28tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33process where host.os.type == "windows" and event.type == "start" and
34 process.name : "MSBuild.exe" and
35 process.parent.name : ("explorer.exe", "wmiprvse.exe")
36'''
37
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41[[rule.threat.technique]]
42id = "T1127"
43name = "Trusted Developer Utilities Proxy Execution"
44reference = "https://attack.mitre.org/techniques/T1127/"
45[[rule.threat.technique.subtechnique]]
46id = "T1127.001"
47name = "MSBuild"
48reference = "https://attack.mitre.org/techniques/T1127/001/"
49
50
51
52[rule.threat.tactic]
53id = "TA0005"
54name = "Defense Evasion"
55reference = "https://attack.mitre.org/tactics/TA0005/"
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58
59[rule.threat.tactic]
60id = "TA0002"
61name = "Execution"
62reference = "https://attack.mitre.org/tactics/TA0002/"
Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested
and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested
to @timestamp for this rule to work.