Suspicious Msbuild Execution By Uncommon Parent Process
Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process
Sigma rule (View on GitHub)
1title: Suspicious Msbuild Execution By Uncommon Parent Process
2id: 33be4333-2c6b-44f4-ae28-102cdbde0a31
3status: test
4description: Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process
5references:
6 - https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/
7 - https://www.echotrail.io/insights/search/msbuild.exe
8author: frack113
9date: 2022/11/17
10tags:
11 - attack.defense_evasion
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 - Image|endswith: '\MSBuild.exe'
18 - OriginalFileName: 'MSBuild.exe'
19 filter_parent:
20 ParentImage|endswith:
21 - '\devenv.exe'
22 - '\cmd.exe'
23 - '\msbuild.exe'
24 - '\python.exe'
25 - '\explorer.exe'
26 - '\nuget.exe'
27 condition: selection and not filter_parent
28falsepositives:
29 - Unknown
30level: medium
References
-
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
Read More
Related rules
- AMSI Bypass Pattern Assembly GetType
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Created And Deleted Within A Close Time Frame
- Account Tampering - Suspicious Failed Logon Reasons