Query Details

TTP Detection Rule: Suspicious network connection from MSBuild

Ttp T1127 001 Susp Network Conn MS Build

Query

// Detection opportunity 5: MSBuild without commands
DeviceNetworkEvents
| where InitiatingProcessFileName =~ "msbuild.exe" and (isempty(InitiatingProcessCommandLine) or InitiatingProcessCommandLine =~ "msbuild.exe")

About this query

Explanation

This query is designed to detect suspicious activity involving the Microsoft Build Engine (msbuild.exe). It specifically looks for instances where msbuild.exe is making network connections without any associated command line arguments. This behavior is unusual and could indicate malicious activity, as msbuild.exe is typically used with specific commands to build software projects.

The query checks the DeviceNetworkEvents data for any events where the initiating process is msbuild.exe and either has no command line arguments or the command line is simply "msbuild.exe" without additional instructions. This could be a sign of exploitation by attackers using msbuild.exe as a proxy to execute unauthorized actions, such as connecting to remote servers.

The detection rule is based on the MITRE ATT&CK framework technique T1127.001, which involves using trusted developer utilities like MSBuild for proxy execution. This technique has been associated with threats like FIN7, ZLoader, and FakeBat, which may attempt to evade security measures by modifying or disabling security tools.

In summary, the query helps identify potential misuse of msbuild.exe for unauthorized network connections, which could be part of a larger malicious campaign.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsInitiatingProcessFileNameCommandLine

Operators

|where=~andisemptyor

MITRE Techniques

Actions

GitHub