MsBuild Making Network Connectionsedit

Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.

Rule indices:

  • winlogbeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100

Tags:

  • Elastic
  • Windows

Rule version: 1

Added (Elastic Stack release): 7.6.0

Rule queryedit

event.action:"Network connection detected (rule: NetworkConnect)" and
process.name:MSBuild.exe and not destination.ip:("127.0.0.1" or "::1")

Threat mappingedit

Framework: MITRE ATT&CKTM