Msbuild

The Microsoft Build Engine (MSBuild) being started by an Office application is unusual behavior and could indicate a malicious document executing a script payload for defense evasion.

MsBuild.exe making outbound network connections may indicate adversarial activity as attackers leverage MsBuild to execute code and evade detection.

Detection of MsBuild.exe making outbound network connections which may indicate adversarial activity used to execute code and evade detection.

The analytic identifies instances where wmiprvse.exe spawns msbuild.exe, an unusual process relationship indicative of potential COM object misuse and unauthorized code execution on Windows systems.

Adversaries may exploit MSBuild to execute malicious scripts or compile code, bypassing security controls; this rule detects unusual processes initiated by MSBuild, such as PowerShell or C# compiler, signaling potential misuse for executing unauthorized or harmful actions.

Adversaries may use MSBuild, a legitimate Microsoft tool, to execute malicious code through script interpreters for defense evasion and execution on Windows systems.

Detection of msbuild.exe execution from a non-standard path, indicating potential attempts to evade detection and execute malicious code.

Adversaries are leveraging MSBuild, a Microsoft Build Engine, to execute malicious code by initiating it from system processes such as Explorer or WMI to evade defenses and execute unauthorized actions.

Detects the suspicious spawning of MSBuild.exe by Windows Script Host processes (cscript.exe or wscript.exe), a behavior often associated with malware executing malicious MSBuild processes via scripts.

Attackers may rename the Microsoft Build Engine (MSBuild) executable to evade detection and proxy execution of malicious code.

The analytic detects the execution of renamed instances of msbuild.exe, a legitimate tool abused by attackers to execute malicious code while evading detection, potentially leading to system compromise, data exfiltration, or lateral movement.