A newer version is available. For the latest information, see the
current release documentation.
MsBuild Making Network Connections
edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.
MsBuild Making Network Connections
editIdentifies MsBuild.exe making outbound network connections. This may indicate
adversarial activity as MsBuild is often leveraged by adversaries to execute
code and evade detection.
Rule indices:
- winlogbeat-*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time)
Maximum signals per execution: 100
Tags:
- Elastic
- Windows
Rule version: 1
Added (Elastic Stack release): 7.6.0
Rule query
editevent.action:"Network connection detected (rule: NetworkConnect)" and
process.name:MSBuild.exe and not destination.ip:("127.0.0.1" or "::1")
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Trusted Developer Utilities
- ID: T1127
- Reference URL: https://attack.mitre.org/techniques/T1127/