MsBuild Network Connection Sequence
Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/02"
3integration = ["endpoint", "windows"]
4maturity = "development"
5updated_date = "2023/02/22"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often
11leveraged by adversaries to execute code and evade detection.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
15language = "eql"
16license = "Elastic License v2"
17name = "MsBuild Network Connection Sequence"
18risk_score = 47
19rule_id = "9dc6ed5d-62a9-4feb-a903-fafa1d33b8e9"
20severity = "medium"
21tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
22type = "eql"
23
24query = '''
25/* duplicate of MsBuild Making Network Connections - 0e79980b-4250-4a50-a509-69294c14e84b */
26
27sequence by process.entity_id
28 [process where host.os.type == "windows" and event.type == "start" and process.name : "MSBuild.exe"]
29 [network where host.os.type == "windows" and process.name : "MSBuild.exe" and
30 not (destination.ip == "127.0.0.1" and source.ip == "127.0.0.1")]
31'''
32
33
34[[rule.threat]]
35framework = "MITRE ATT&CK"
36[[rule.threat.technique]]
37id = "T1127"
38name = "Trusted Developer Utilities Proxy Execution"
39reference = "https://attack.mitre.org/techniques/T1127/"
40[[rule.threat.technique.subtechnique]]
41id = "T1127.001"
42name = "MSBuild"
43reference = "https://attack.mitre.org/techniques/T1127/001/"
44
45
46
47[rule.threat.tactic]
48id = "TA0005"
49name = "Defense Evasion"
50reference = "https://attack.mitre.org/tactics/TA0005/"