heroui logo

Microsoft Build Engine Started by an Office Application

Elastic Detection Rules

View Source
Summary
This detection rule identifies abnormal instances where the Microsoft Build Engine (MSBuild.exe) is launched by Microsoft Office applications like Excel or Word. Under normal circumstances, MSBuild is utilized primarily by developers to build software projects; thus, its initiation via office applications is atypical and potentially indicative of malicious activity, such as the execution of harmful scripts embedded in Office documents. The rule employs EQL (Event Query Language) to monitor Windows OS events, specifically targeting processes that start in association with MSOffice applications. As part of the response and remediation plan, investigators are encouraged to examine the entire process execution chain, analyze any associated documents, and implement necessary incident response strategies in the event of confirmed malicious activity. A comprehensive approach is advised to handle potential false positives and mitigate risks effectively while adhering to best security practices.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
  • Windows Registry
  • Application Log
  • Network Traffic
  • Malware Repository
ATT&CK Techniques
  • T1127
  • T1127.001
Created: 2020-03-25