The SIEM app is now a part of the Elastic Security solution.
Click
here to view the current documentation.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.
Microsoft Build Engine Started by an Office Application
editMicrosoft Build Engine Started by an Office Application
editAn instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.
Rule type: query
Rule indices:
- winlogbeat-*
Severity: high
Risk score: 73
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum signals per execution: 100
References:
Tags:
- Elastic
- Windows
Version: 1
Added (Elastic Stack release): 7.7.0
Potential false positives
editThe Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel.
Rule query
editprocess.name:MSBuild.exe and process.parent.name:(eqnedt32.exe or excel.exe or fltldr.exe or msaccess.exe or mspub.exe or outlook.exe or powerpnt.exe or winword.exe) and event.action: "Process Create (rule: ProcessCreate)"
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Trusted Developer Utilities
- ID: T1127
- Reference URL: https://attack.mitre.org/techniques/T1127/
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Trusted Developer Utilities
- ID: T1127
- Reference URL: https://attack.mitre.org/techniques/T1127/