MsBuild Network Connection Sequence

Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/02"
 3integration = ["endpoint", "windows"]
 4maturity = "development"
 5updated_date = "2023/06/22"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often
11leveraged by adversaries to execute code and evade detection.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
15language = "eql"
16license = "Elastic License v2"
17name = "MsBuild Network Connection Sequence"
18risk_score = 47
19rule_id = "9dc6ed5d-62a9-4feb-a903-fafa1d33b8e9"
20severity = "medium"
21tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
22type = "eql"
23
24query = '''
25/* duplicate of MsBuild Making Network Connections - 0e79980b-4250-4a50-a509-69294c14e84b */
26
27sequence by process.entity_id
28  [process where host.os.type == "windows" and event.type == "start" and process.name : "MSBuild.exe"]
29  [network where host.os.type == "windows" and process.name : "MSBuild.exe" and
30     not (destination.ip == "127.0.0.1" and source.ip == "127.0.0.1")]
31'''
32
33
34[[rule.threat]]
35framework = "MITRE ATT&CK"
36[[rule.threat.technique]]
37id = "T1127"
38name = "Trusted Developer Utilities Proxy Execution"
39reference = "https://attack.mitre.org/techniques/T1127/"
40[[rule.threat.technique.subtechnique]]
41id = "T1127.001"
42name = "MSBuild"
43reference = "https://attack.mitre.org/techniques/T1127/001/"
44
45
46
47[rule.threat.tactic]
48id = "TA0005"
49name = "Defense Evasion"
50reference = "https://attack.mitre.org/tactics/TA0005/"

Related rules

to-top