Skip to content
Threat Feed

Tag

Msbuild

7 briefs RSS
high advisory

Microsoft Build Engine Started by an Office Application

The Microsoft Build Engine (MSBuild) being started by an Office application is unusual behavior and could indicate a malicious document executing a script payload for defense evasion.

Microsoft Build Engine +2 defense-evasion execution msbuild windows
2r 1t
medium advisory

MSBuild Making Network Connections Indicating Potential Defense Evasion

MsBuild.exe making outbound network connections may indicate adversarial activity as attackers leverage MsBuild to execute code and evade detection.

MSBuild defense-evasion command-and-control
2r 2t
medium advisory

MSBuild Making Network Connections

Detection of MsBuild.exe making outbound network connections which may indicate adversarial activity used to execute code and evade detection.

MSBuild defense-evasion windows
2r 2t
medium advisory

MSBuild запускает необычные процессы

Adversaries may exploit MSBuild to execute malicious scripts or compile code, bypassing security controls; this rule detects unusual processes initiated by MSBuild, such as PowerShell or C# compiler, signaling potential misuse for executing unauthorized or harmful actions.

MSBuild +3 defense-evasion execution
2r 3t
medium advisory

Suspicious MSBuild Execution from Scripting Processes

Adversaries may use MSBuild, a legitimate Microsoft tool, to execute malicious code through script interpreters for defense evasion and execution on Windows systems.

MSBuild defense-evasion execution proxy-execution
2r 6t
medium advisory

MSBuild Started by System Process for Defense Evasion and Execution

Adversaries are leveraging MSBuild, a Microsoft Build Engine, to execute malicious code by initiating it from system processes such as Explorer or WMI to evade defenses and execute unauthorized actions.

Elastic Defend +3 defense-evasion execution msbuild proxy-execution windows
2r 2t
medium advisory

Microsoft Build Engine Executed After Renaming

Attackers may rename the Microsoft Build Engine (MSBuild) executable to evade detection and proxy execution of malicious code.

MSBuild defense-evasion execution masquerading
2r 2t