IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
MsBuild Making Network Connectionsedit
Identifies MsBuild.exe
making outbound network connections. This may indicate
adversarial activity as MsBuild is often leveraged by adversaries to execute
code and evade detection.
Rule indices:
- winlogbeat-*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum signals per execution: 100
Tags:
- Elastic
- Windows
Rule version: 1
Added (Elastic Stack release): 7.6.0
Rule queryedit
event.action:"Network connection detected (rule: NetworkConnect)" and process.name:MSBuild.exe and not destination.ip:("127.0.0.1" or "::1")
Threat mappingedit
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Trusted Developer Utilities
- ID: T1127
- Reference URL: https://attack.mitre.org/techniques/T1127/