Query Details

Suspicious MS Build Remote Thread

Query

DeviceEvents
| where ActionType =~ 'CreateRemoteThreadApiCall'
| where FileName =~ 'MSBuild.exe'
// Exclude Visual Studio
| where not(FolderPath has_all ('Program Files', 'Microsoft Visual Studio', @'MSBuild\Current\Bin'))
// Enrichment based on commandline
| join kind=leftouter (DeviceNetworkEvents | project ConnectionTime = Timestamp, DeviceId, InitiatingProcessCommandLine, RemoteThreadIP = RemoteIP, RemotePort) on $left.ProcessCommandLine == $right.InitiatingProcessCommandLine, DeviceId
| join kind=leftouter (DeviceProcessEvents | summarize ExecutedCommands = make_set(ProcessCommandLine) by DeviceId, InitiatingProcessCommandLine) on $left.ProcessCommandLine == $right.InitiatingProcessCommandLine, DeviceId
| project-reorder Timestamp, ConnectionTime, RemoteThreadIP, ExecutedCommands

About this query

Explanation

This query is designed to detect potentially suspicious activities involving the use of MSBuild.exe, a legitimate Windows utility, which might be exploited by attackers to execute malicious code. Here's a simplified breakdown of what the query does:

  1. Targeted Action: It looks for events where a remote thread is created by MSBuild.exe. This could indicate malicious activities like Command & Control (C2) communications or reverse shell operations.

  2. Exclusion of Legitimate Use: The query excludes instances where MSBuild.exe is used within the Visual Studio installation directory, as these are likely legitimate uses by developers.

  3. Data Enrichment:

    • It enriches the results by joining with network event data to gather additional information such as the time of connection, the device ID, the command line that initiated the process, and the remote IP and port involved.
    • It also joins with process event data to compile a list of commands executed on the device, providing further context for the investigation.
  4. Output: The final output includes the timestamp of the event, connection time, remote IP address, and the list of executed commands, helping analysts to assess and investigate the potential threat.

This query helps security analysts identify and investigate suspicious uses of MSBuild.exe that could indicate an attack leveraging trusted utilities for malicious purposes.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 17, 2025

Tables

DeviceEventsDeviceNetworkEventsDeviceProcessEvents

Keywords

DeviceEventsDeviceNetworkEventsDeviceProcessEventsMSBuildRemoteThreadIPExecutedCommandsConnectionTimeFileNameActionTypeFolderPathProgramFilesMicrosoftVisualStudioProcessCommandLineDeviceIdInitiatingProcessCommandLineRemotePort

Operators

where=~nothas_alljoinkind=leftouterprojecton==summarizemake_setbyproject-reorder

MITRE Techniques

Actions

GitHub