Suspicious Msbuild Execution By Uncommon Parent Process

Aug 12, 2024 · attack.defense-evasion ·

Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process

Sigma rule (View on GitHub)

 1title: Suspicious Msbuild Execution By Uncommon Parent Process
 2id: 33be4333-2c6b-44f4-ae28-102cdbde0a31
 3status: test
 4description: Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process
 5references:
 6    - https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/
 7    - https://www.echotrail.io/insights/search/msbuild.exe
 8author: frack113
 9date: 2022-11-17
10tags:
11    - attack.defense-evasion
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        - Image|endswith: '\MSBuild.exe'
18        - OriginalFileName: 'MSBuild.exe'
19    filter_parent:
20        ParentImage|endswith:
21            - '\devenv.exe'
22            - '\cmd.exe'
23            - '\msbuild.exe'
24            - '\python.exe'
25            - '\explorer.exe'
26            - '\nuget.exe'
27    condition: selection and not filter_parent
28falsepositives:
29    - Unknown
30level: medium

References

Analysis BcE30tr1PvwTt8v.exe (MD5: 71EB23FAFF09C04883DD2DD9ECDFD6BF) Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

Read More
EchoTrail

Endpoint log security platform.

Read More

Suspicious Msbuild Execution By Uncommon Parent Process

Sigma rule (View on GitHub)

References

Analysis BcE30tr1PvwTt8v.exe (MD5: 71EB23FAFF09C04883DD2DD9ECDFD6BF) Malicious activity - Interactive analysis ANY.RUN

EchoTrail

Related rules