Process Injection by the Microsoft Build Engine

An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/03/25"
  3integration = ["windows"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes
 13used to evade detection or elevate privileges.
 14"""
 15false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
 16index = ["winlogbeat-*", "logs-windows.sysmon_operational-*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Process Injection by the Microsoft Build Engine"
 20risk_score = 21
 21rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9"
 22severity = "low"
 23tags = [
 24    "Domain: Endpoint",
 25    "OS: Windows",
 26    "Use Case: Threat Detection",
 27    "Tactic: Defense Evasion",
 28    "Tactic: Privilege Escalation",
 29    "Data Source: Sysmon",
 30    "Resources: Investigation Guide",
 31]
 32timestamp_override = "event.ingested"
 33type = "eql"
 34
 35query = '''
 36process where host.os.type == "windows" and process.name: "MSBuild.exe" and
 37    event.action:("CreateRemoteThread detected (rule: CreateRemoteThread)", "CreateRemoteThread")
 38'''
 39note = """## Triage and analysis
 40
 41> **Disclaimer**:
 42> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 43
 44### Investigating Process Injection by the Microsoft Build Engine
 45
 46The Microsoft Build Engine (MSBuild) is a platform for building applications, often used in software development environments. Adversaries exploit MSBuild to perform process injection, a technique to execute malicious code within the address space of another process, thereby evading detection and potentially escalating privileges. The detection rule identifies suspicious MSBuild activity by monitoring for thread creation in other processes, leveraging Sysmon data to flag potential abuse.
 47
 48### Possible investigation steps
 49
 50- Review the alert details to confirm that the process name is "MSBuild.exe" and the event action is "CreateRemoteThread detected (rule: CreateRemoteThread)".
 51- Examine the parent process of MSBuild.exe to determine if it was launched by a legitimate application or user, which could indicate whether the activity is expected or suspicious.
 52- Check the timeline of events to see if there are any other related alerts or activities around the same time, such as unusual network connections or file modifications, which could provide additional context.
 53- Investigate the target process where the thread was created to assess its normal behavior and determine if it is a common target for injection or if it has been compromised.
 54- Analyze the command line arguments used to launch MSBuild.exe to identify any unusual or suspicious parameters that could indicate malicious intent.
 55- Review the user account associated with the MSBuild.exe process to verify if it has the necessary permissions and if the activity aligns with the user's typical behavior.
 56- Consult threat intelligence sources to check if there are any known campaigns or malware that utilize MSBuild for process injection, which could help in understanding the potential threat actor or objective.
 57
 58### False positive analysis
 59
 60- Development environments often use MSBuild for legitimate purposes, which can trigger false positives. Users should monitor and establish a baseline of normal MSBuild activity to differentiate between benign and suspicious behavior.
 61- Automated build systems may frequently invoke MSBuild, leading to false positives. Consider excluding known build server IP addresses or specific user accounts associated with these systems from the detection rule.
 62- Some legitimate software may use MSBuild for plugin or extension loading, which could appear as process injection. Identify and whitelist these applications by their process hashes or paths to reduce noise.
 63- Regular updates or installations of software development tools might cause MSBuild to create threads in other processes. Temporarily disable the rule during scheduled maintenance windows to prevent unnecessary alerts.
 64- Collaborate with development teams to understand their use of MSBuild and adjust the detection rule to exclude known safe operations, ensuring that only unexpected or unauthorized uses are flagged.
 65
 66### Response and remediation
 67
 68- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement.
 69- Terminate the MSBuild.exe process if it is confirmed to be involved in unauthorized thread creation, using task management tools or scripts.
 70- Conduct a memory analysis on the affected system to identify and extract any injected code or payloads for further investigation.
 71- Review and restore any altered or compromised system files and configurations to their original state using known good backups.
 72- Escalate the incident to the security operations center (SOC) or incident response team for a comprehensive investigation and to determine the scope of the intrusion.
 73- Implement application whitelisting to prevent unauthorized execution of MSBuild.exe or similar tools in non-development environments.
 74- Enhance monitoring and detection capabilities by ensuring Sysmon is configured to log detailed process creation and thread injection events across the network."""
 75
 76
 77[[rule.threat]]
 78framework = "MITRE ATT&CK"
 79[[rule.threat.technique]]
 80id = "T1055"
 81name = "Process Injection"
 82reference = "https://attack.mitre.org/techniques/T1055/"
 83
 84[[rule.threat.technique]]
 85id = "T1127"
 86name = "Trusted Developer Utilities Proxy Execution"
 87reference = "https://attack.mitre.org/techniques/T1127/"
 88[[rule.threat.technique.subtechnique]]
 89id = "T1127.001"
 90name = "MSBuild"
 91reference = "https://attack.mitre.org/techniques/T1127/001/"
 92
 93
 94
 95[rule.threat.tactic]
 96id = "TA0005"
 97name = "Defense Evasion"
 98reference = "https://attack.mitre.org/tactics/TA0005/"
 99[[rule.threat]]
100framework = "MITRE ATT&CK"
101[[rule.threat.technique]]
102id = "T1055"
103name = "Process Injection"
104reference = "https://attack.mitre.org/techniques/T1055/"
105
106
107[rule.threat.tactic]
108id = "TA0004"
109name = "Privilege Escalation"
110reference = "https://attack.mitre.org/tactics/TA0004/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Process Injection by the Microsoft Build Engine

The Microsoft Build Engine (MSBuild) is a platform for building applications, often used in software development environments. Adversaries exploit MSBuild to perform process injection, a technique to execute malicious code within the address space of another process, thereby evading detection and potentially escalating privileges. The detection rule identifies suspicious MSBuild activity by monitoring for thread creation in other processes, leveraging Sysmon data to flag potential abuse.

Possible investigation steps

  • Review the alert details to confirm that the process name is "MSBuild.exe" and the event action is "CreateRemoteThread detected (rule: CreateRemoteThread)".
  • Examine the parent process of MSBuild.exe to determine if it was launched by a legitimate application or user, which could indicate whether the activity is expected or suspicious.
  • Check the timeline of events to see if there are any other related alerts or activities around the same time, such as unusual network connections or file modifications, which could provide additional context.
  • Investigate the target process where the thread was created to assess its normal behavior and determine if it is a common target for injection or if it has been compromised.
  • Analyze the command line arguments used to launch MSBuild.exe to identify any unusual or suspicious parameters that could indicate malicious intent.
  • Review the user account associated with the MSBuild.exe process to verify if it has the necessary permissions and if the activity aligns with the user's typical behavior.
  • Consult threat intelligence sources to check if there are any known campaigns or malware that utilize MSBuild for process injection, which could help in understanding the potential threat actor or objective.

False positive analysis

  • Development environments often use MSBuild for legitimate purposes, which can trigger false positives. Users should monitor and establish a baseline of normal MSBuild activity to differentiate between benign and suspicious behavior.
  • Automated build systems may frequently invoke MSBuild, leading to false positives. Consider excluding known build server IP addresses or specific user accounts associated with these systems from the detection rule.
  • Some legitimate software may use MSBuild for plugin or extension loading, which could appear as process injection. Identify and whitelist these applications by their process hashes or paths to reduce noise.
  • Regular updates or installations of software development tools might cause MSBuild to create threads in other processes. Temporarily disable the rule during scheduled maintenance windows to prevent unnecessary alerts.
  • Collaborate with development teams to understand their use of MSBuild and adjust the detection rule to exclude known safe operations, ensuring that only unexpected or unauthorized uses are flagged.

Response and remediation

  • Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement.
  • Terminate the MSBuild.exe process if it is confirmed to be involved in unauthorized thread creation, using task management tools or scripts.
  • Conduct a memory analysis on the affected system to identify and extract any injected code or payloads for further investigation.
  • Review and restore any altered or compromised system files and configurations to their original state using known good backups.
  • Escalate the incident to the security operations center (SOC) or incident response team for a comprehensive investigation and to determine the scope of the intrusion.
  • Implement application whitelisting to prevent unauthorized execution of MSBuild.exe or similar tools in non-development environments.
  • Enhance monitoring and detection capabilities by ensuring Sysmon is configured to log detailed process creation and thread injection events across the network.

Related rules

to-top