Query Details
Suspicious MS Build Remote Thread
Query
# Suspicious MSBuild Remote Thread
## Query Information
#### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
| --- | --- | --- |
| T1127.001 | Trusted Developer Utilities Proxy Execution: MSBuild | https://attack.mitre.org/techniques/T1127/001/ |
#### Description
Adversaries may use MSBuild.exe to execute/build code through a trusted windows lolbin. In this specific scenario a suspicious MSBuild remote threat is created which indicates Command & Control traffic or Reverse Shell activities.
The enrichment based on *DeviceNetworkEvents* or *DeviceProcessEvents* can be optionally added to the rule to enrich the results for the analysts investigating the alert.
#### Risk
Potential C2 or Reverse Shell activities
#### References
- https://lolbas-project.github.io/lolbas/Binaries/Msbuild/
## Defender XDR
```KQL
DeviceEvents
| where ActionType =~ "CreateRemoteThreadApiCall"
| where FileName =~ "MSBuild.exe"
// Exclude Visual Studio
| where not(FolderPath has_all ('Program Files', 'Microsoft Visual Studio', @'MSBuild\Current\Bin'))
// Enrichment based on commandline
| join kind=leftouter (DeviceNetworkEvents | project ConnectionTime = Timestamp, DeviceId, InitiatingProcessCommandLine, RemoteThreadIP = RemoteIP, RemotePort) on $left.ProcessCommandLine == $right.InitiatingProcessCommandLine, DeviceId
| join kind=leftouter (DeviceProcessEvents | summarize ExecutedCommands = make_set(ProcessCommandLine) by DeviceId, InitiatingProcessCommandLine) on $left.ProcessCommandLine == $right.InitiatingProcessCommandLine, DeviceId
| project-reorder Timestamp, ConnectionTime, RemoteThreadIP, ExecutedCommands
```
## Sentinel
```KQL
DeviceEvents
| where ActionType =~ "CreateRemoteThreadApiCall"
| where FileName =~ "MSBuild.exe"
// Exclude Visual Studio
| where not(FolderPath has_all ('Program Files', 'Microsoft Visual Studio', @'MSBuild\Current\Bin'))
// Enrichment based on commandline
| join kind=leftouter (DeviceNetworkEvents | project ConnectionTime = TimeGenerated, DeviceId, InitiatingProcessCommandLine, RemoteThreadIP = RemoteIP, RemotePort) on $left.ProcessCommandLine == $right.InitiatingProcessCommandLine, DeviceId
| join kind=leftouter (DeviceProcessEvents | summarize ExecutedCommands = make_set(ProcessCommandLine) by DeviceId, InitiatingProcessCommandLine) on $left.ProcessCommandLine == $right.InitiatingProcessCommandLine, DeviceId
| project-reorder TimeGenerated, ConnectionTime, RemoteThreadIP, ExecutedCommands
```
Explanation
This query is designed to detect potentially suspicious activities involving the use of MSBuild.exe, a legitimate Windows tool, which attackers might exploit to execute malicious code. Here's a simplified breakdown of what the query does:
-
Targeted Action: It looks for events where a remote thread is created by MSBuild.exe. This is significant because creating remote threads can be a technique used by malware to execute code in the context of another process.
-
Exclusion of Legitimate Use: The query excludes instances where MSBuild.exe is used within the typical installation path of Visual Studio. This helps to filter out legitimate uses of MSBuild by developers.
-
Enrichment with Network and Process Data:
- It enriches the results with network event data to provide context about any network connections associated with the suspicious activity. This includes details like the remote IP address and port.
- It also enriches the results with process event data to list any commands executed by the process, providing further context for analysis.
-
Output: The query organizes the output to show the timestamp of the event, connection time, remote IP address, and any executed commands, which helps analysts quickly assess the potential threat.
Overall, this query helps security analysts identify and investigate potential Command & Control (C2) or reverse shell activities that might be using MSBuild.exe as a proxy for malicious actions.
Details
Bert-Jan Pals
Released: December 15, 2025
Tables
Keywords
Operators