Microsoft Build Engine Started an Unusual Process

  1[metadata]
  2creation_date = "2020/03/25"
  3integration = ["endpoint", "windows", "system"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler.
 11This technique is sometimes used to deploy a malicious payload using the Build Engine.
 12"""
 13false_positives = [
 14    """
 15    The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system
 16    triggers this rule it can be exempted by process, user or host name.
 17    """,
 18]
 19from = "now-9m"
 20index = [
 21    "logs-endpoint.events.process-*",
 22    "logs-system.security*",
 23    "logs-windows.forwarded*",
 24    "logs-windows.sysmon_operational-*",
 25    "winlogbeat-*",
 26]
 27language = "kuery"
 28license = "Elastic License v2"
 29name = "Microsoft Build Engine Started an Unusual Process"
 30note = """## Triage and analysis
 31
 32> **Disclaimer**:
 33> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 34
 35### Investigating Microsoft Build Engine Started an Unusual Process
 36
 37The Microsoft Build Engine (MSBuild) is a platform for building applications, often used in software development environments. Adversaries may exploit MSBuild to execute malicious scripts or compile code, bypassing security controls. The detection rule identifies unusual processes initiated by MSBuild, such as PowerShell or C# compiler, signaling potential misuse for executing unauthorized or harmful actions.
 38
 39### Possible investigation steps
 40
 41- Review the process tree to understand the parent-child relationship, focusing on MSBuild.exe or msbuild.exe as the parent process and any unusual child processes like csc.exe, iexplore.exe, or powershell.exe.
 42- Examine the command line arguments used by the unusual process to identify any suspicious or malicious scripts or commands being executed.
 43- Check the user account associated with the process to determine if it aligns with expected usage patterns or if it might be compromised.
 44- Investigate the source and integrity of the MSBuild project file (.proj or .sln) to ensure it hasn't been tampered with or used to execute unauthorized code.
 45- Analyze recent changes or deployments in the environment that might explain the unusual process execution, such as new software installations or updates.
 46- Correlate this event with other security alerts or logs to identify any patterns or additional indicators of compromise that might suggest a broader attack.
 47
 48### False positive analysis
 49
 50- Development environments often use MSBuild to execute legitimate PowerShell scripts or compile C# code. Regularly review and whitelist known development processes to prevent unnecessary alerts.
 51- Automated build systems may trigger this rule when running scripts or compiling code as part of their normal operation. Identify and exclude these systems by their hostnames or IP addresses.
 52- Some software installations or updates might use MSBuild to execute scripts. Monitor and document these activities, and create exceptions for recognized software vendors.
 53- Internal tools or scripts that rely on MSBuild for execution should be cataloged. Establish a baseline of expected behavior and exclude these from triggering alerts.
 54- Collaborate with development teams to understand their use of MSBuild and adjust the detection rule to accommodate their workflows without compromising security.
 55
 56### Response and remediation
 57
 58- Immediately isolate the affected system from the network to prevent further execution of potentially malicious processes and lateral movement.
 59- Terminate any suspicious processes initiated by MSBuild, such as PowerShell or the C# compiler, to halt any ongoing malicious activity.
 60- Conduct a thorough review of the affected system for any unauthorized changes or additional malicious files, focusing on scripts or executables that may have been deployed.
 61- Restore the system from a known good backup if any malicious activity or unauthorized changes are confirmed, ensuring that the backup is clean and uncompromised.
 62- Escalate the incident to the security operations team for further analysis and to determine if the threat is part of a larger attack campaign.
 63- Implement additional monitoring and logging for MSBuild and related processes to detect any future misuse or anomalies promptly.
 64- Review and update endpoint protection configurations to enhance detection and prevention capabilities against similar threats, ensuring that security controls are effectively blocking unauthorized script execution."""
 65references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"]
 66risk_score = 21
 67rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6"
 68severity = "low"
 69tags = [
 70    "Domain: Endpoint",
 71    "OS: Windows",
 72    "Use Case: Threat Detection",
 73    "Tactic: Defense Evasion",
 74    "Tactic: Execution",
 75    "Data Source: Elastic Defend",
 76    "Data Source: Sysmon",
 77    "Data Source: Windows Security Event Logs",
 78    "Resources: Investigation Guide",
 79]
 80timestamp_override = "event.ingested"
 81type = "new_terms"
 82
 83query = '''
 84host.os.type:windows and event.category:process and event.type:start and process.parent.name:("MSBuild.exe" or "msbuild.exe") and
 85process.name:("csc.exe" or "iexplore.exe" or "powershell.exe")
 86'''
 87
 88
 89[[rule.threat]]
 90framework = "MITRE ATT&CK"
 91[[rule.threat.technique]]
 92id = "T1027"
 93name = "Obfuscated Files or Information"
 94reference = "https://attack.mitre.org/techniques/T1027/"
 95[[rule.threat.technique.subtechnique]]
 96id = "T1027.004"
 97name = "Compile After Delivery"
 98reference = "https://attack.mitre.org/techniques/T1027/004/"
 99
100
101[[rule.threat.technique]]
102id = "T1127"
103name = "Trusted Developer Utilities Proxy Execution"
104reference = "https://attack.mitre.org/techniques/T1127/"
105[[rule.threat.technique.subtechnique]]
106id = "T1127.001"
107name = "MSBuild"
108reference = "https://attack.mitre.org/techniques/T1127/001/"
109
110
111
112[rule.threat.tactic]
113id = "TA0005"
114name = "Defense Evasion"
115reference = "https://attack.mitre.org/tactics/TA0005/"
116
117[rule.new_terms]
118field = "new_terms_fields"
119value = ["host.id", "user.name"]
120[[rule.new_terms.history_window_start]]
121field = "history_window_start"
122value = "now-14d"