New

The executive guide to generative AI

Read more

Microsoft Build Engine Started an Unusual Process

edit

Microsoft Build Engine Started an Unusual Process

edit

An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Defense Evasion

Version: 8 (version history)

Added (Elastic Stack release): 7.7.0

Last modified (Elastic Stack release): 7.13.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positives

edit

The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name.

Rule query

edit
process where event.type in ("start", "process_started") and
process.parent.name : "MSBuild.exe" and process.name : ("csc.exe",
"iexplore.exe", "powershell.exe")

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 8 (7.13.0 release)
  • Updated query, changed from:

    event.category:process and event.type:(start or process_started) and
    process.parent.name:MSBuild.exe and process.name:(csc.exe or
    iexplore.exe or powershell.exe)
Version 7 (7.12.0 release)
  • Formatting only
Version 6 (7.11.2 release)
  • Formatting only
Version 5 (7.11.0 release)
  • Formatting only
Version 4 (7.10.0 release)
  • Formatting only
Version 3 (7.9.1 release)
  • Formatting only
Version 2 (7.9.0 release)
  • Updated query, changed from:

    process.parent.name:MSBuild.exe and process.name:(csc.exe or
    iexplore.exe or powershell.exe)
Was this helpful?
Feedback