Microsoft Build Engine Started by a System Process

calendarMar 5, 2023  ·
Share on: linkedincopy

An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/03/25"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/02/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management
13Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.
14"""
15false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Microsoft Build Engine Started by a System Process"
21note = """## Setup
22
23If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
24"""
25risk_score = 47
26rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3"
27severity = "medium"
28tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33process where host.os.type == "windows" and event.type == "start" and
34  process.name : "MSBuild.exe" and
35  process.parent.name : ("explorer.exe", "wmiprvse.exe")
36'''
37
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41[[rule.threat.technique]]
42id = "T1127"
43name = "Trusted Developer Utilities Proxy Execution"
44reference = "https://attack.mitre.org/techniques/T1127/"
45[[rule.threat.technique.subtechnique]]
46id = "T1127.001"
47name = "MSBuild"
48reference = "https://attack.mitre.org/techniques/T1127/001/"
49
50
51
52[rule.threat.tactic]
53id = "TA0005"
54name = "Defense Evasion"
55reference = "https://attack.mitre.org/tactics/TA0005/"
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58
59[rule.threat.tactic]
60id = "TA0002"
61name = "Execution"
62reference = "https://attack.mitre.org/tactics/TA0002/"

Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.

to-top