Defense Evasion (TA0005)(external, opens in a new tab or window)
text code block:sequence by process.entity_id with maxspan=30s /* Look for MSBuild.exe process execution */ /* The events for this first sequence may be noisy, consider adding exceptions */ [process where host.os.type == "windows" and event.type == "start" and ( process.pe.original_file_name: "MSBuild.exe" or process.name: "MSBuild.exe" ) and not user.id == "S-1-5-18"] /* Followed by a network connection to an external address */ /* Exclude domains that are known to be benign */ [network where host.os.type == "windows" and event.action: ("connection_attempted", "lookup_requested") and ( process.pe.original_file_name: "MSBuild.exe" or process.name: "MSBuild.exe" ) and not user.id == "S-1-5-18" and not cidrmatch(destination.ip, "127.0.0.1", "::1") and not dns.question.name : ( "localhost", "dc.services.visualstudio.com", "vortex.data.microsoft.com", "api.nuget.org")]
Install detection rules in Elastic Security
Detect MsBuild Making Network Connections in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).