LoFP / the build engine is commonly used by windows developers but use by non-engineers is unusual.

• T1127

Sample rules

Process Injection by the Microsoft Build Engine

• source: elastic
• technicques:
  • T1055
  • T1127

Description

An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.

Detection logic

process where host.os.type == "windows" and process.name: "MSBuild.exe" and
    event.action:("CreateRemoteThread detected (rule: CreateRemoteThread)", "CreateRemoteThread")

Potential Credential Access via Trusted Developer Utility

• source: elastic
• technicques:
  • T1003
  • T1127
  • T1555

Description

An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.

Detection logic

sequence by process.entity_id
 [process where host.os.type == "windows" and event.type == "start" and (process.name : "MSBuild.exe" or process.pe.original_file_name == "MSBuild.exe")]
 [any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and
  (?dll.name : ("vaultcli.dll", "SAMLib.DLL") or file.name : ("vaultcli.dll", "SAMLib.DLL"))]

Microsoft Build Engine Started by a System Process

• source: elastic
• technicques:
  • T1127

Description

An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.

Detection logic

process where host.os.type == "windows" and event.type == "start" and
  process.name : "MSBuild.exe" and
  process.parent.name : ("explorer.exe", "wmiprvse.exe")

Microsoft Build Engine Started by a Script Process

• source: elastic
• technicques:
  • T1059
  • T1127

Description

An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.

Detection logic

host.os.type:windows and event.category:process and event.type:start and (
  process.name.caseless:"msbuild.exe" or process.pe.original_file_name:"MSBuild.exe") and 
  process.parent.name:("cmd.exe" or "powershell.exe" or "pwsh.exe" or "powershell_ise.exe" or "cscript.exe" or
    "wscript.exe" or "mshta.exe")

Microsoft Build Engine Using an Alternate Name

• source: elastic
• technicques:
  • T1036
  • T1127

Description

An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.

Detection logic

process where host.os.type == "windows" and event.type == "start" and
  process.pe.original_file_name == "MSBuild.exe" and
  not process.name : "MSBuild.exe"

Microsoft Build Engine Started by an Office Application

• source: elastic
• technicques:
  • T1127

Description

An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.

Detection logic

process where host.os.type == "windows" and event.type == "start" and
  process.name : "MSBuild.exe" and
  process.parent.name : ("eqnedt32.exe",
                         "excel.exe",
                         "fltldr.exe",
                         "msaccess.exe",
                         "mspub.exe",
                         "outlook.exe",
                         "powerpnt.exe",
                         "winword.exe" )

• T1027
• T1127

Sample rules

Process Injection by the Microsoft Build Engine

• source: elastic
• technicques:
  • T1055
  • T1127

Description

An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.

Detection logic

process where host.os.type == "windows" and process.name: "MSBuild.exe" and
    event.action:("CreateRemoteThread detected (rule: CreateRemoteThread)", "CreateRemoteThread")

Potential Credential Access via Trusted Developer Utility

• source: elastic
• technicques:
  • T1003
  • T1127
  • T1555

Description

An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.

Detection logic

sequence by process.entity_id
 [process where host.os.type == "windows" and event.type == "start" and (process.name : "MSBuild.exe" or process.pe.original_file_name == "MSBuild.exe")]
 [any where host.os.type == "windows" and (event.category == "library" or (event.category == "process" and event.action : "Image loaded*")) and
  (?dll.name : ("vaultcli.dll", "SAMLib.DLL") or file.name : ("vaultcli.dll", "SAMLib.DLL"))]

Microsoft Build Engine Started by a System Process

• source: elastic
• technicques:
  • T1127

Description

An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.

Detection logic

process where host.os.type == "windows" and event.type == "start" and
  process.name : "MSBuild.exe" and
  process.parent.name : ("explorer.exe", "wmiprvse.exe")

Microsoft Build Engine Started by a Script Process

• source: elastic
• technicques:
  • T1059
  • T1127

Description

An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.

Detection logic

host.os.type:windows and event.category:process and event.type:start and (
  process.name.caseless:"msbuild.exe" or process.pe.original_file_name:"MSBuild.exe") and 
  process.parent.name:("cmd.exe" or "powershell.exe" or "pwsh.exe" or "powershell_ise.exe" or "cscript.exe" or
    "wscript.exe" or "mshta.exe")

Microsoft Build Engine Using an Alternate Name

• source: elastic
• technicques:
  • T1036
  • T1127

Description

An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.

Detection logic

process where host.os.type == "windows" and event.type == "start" and
  process.pe.original_file_name == "MSBuild.exe" and
  not process.name : "MSBuild.exe"

Microsoft Build Engine Started by an Office Application

• source: elastic
• technicques:
  • T1127

Description

An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.

Detection logic

process where host.os.type == "windows" and event.type == "start" and
  process.name : "MSBuild.exe" and
  process.parent.name : ("eqnedt32.exe",
                         "excel.exe",
                         "fltldr.exe",
                         "msaccess.exe",
                         "mspub.exe",
                         "outlook.exe",
                         "powerpnt.exe",
                         "winword.exe" )

Microsoft Build Engine Started an Unusual Process

• source: elastic
• technicques:
  • T1027
  • T1127

Description

An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.

Detection logic

host.os.type:windows and event.category:process and event.type:start and process.parent.name:("MSBuild.exe" or "msbuild.exe") and
process.name:("csc.exe" or "iexplore.exe" or "powershell.exe")