The SIEM app is now a part of the Elastic Security solution.
Click
here to view the current documentation.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.
Microsoft Build Engine Started by a Script Process
editMicrosoft Build Engine Started by a Script Process
editAn instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.
Rule type: query
Rule indices:
- winlogbeat-*
Severity: low
Risk score: 21
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum signals per execution: 100
Tags:
- Elastic
- Windows
Version: 1
Added (Elastic Stack release): 7.7.0
Potential false positives
editThe Build Engine is commonly used by Windows developers but use by non-engineers is unusual.
Rule query
editprocess.name:MSBuild.exe and process.parent.name:(cmd.exe or powershell.exe or cscript.exe or wscript.exe) and event.action:"Process Create (rule: ProcessCreate)"
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Trusted Developer Utilities
- ID: T1127
- Reference URL: https://attack.mitre.org/techniques/T1127/
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Trusted Developer Utilities
- ID: T1127
- Reference URL: https://attack.mitre.org/techniques/T1127/