sequence by process.entity_id with maxspan=30s
/* Look for MSBuild.exe process execution */
/* The events for this first sequence may be noisy, consider adding exceptions */
[process where host.os.type == "windows" and event.type == "start" and
(
process.pe.original_file_name: "MSBuild.exe" or
process.name: "MSBuild.exe"
) and
not user.id == "S-1-5-18"]
/* Followed by a network connection to an external address */
/* Exclude domains that are known to be benign */
[network where host.os.type == "windows" and
event.action: ("connection_attempted", "lookup_requested") and
(
process.pe.original_file_name: "MSBuild.exe" or
process.name: "MSBuild.exe"
) and
not user.id == "S-1-5-18" and
not cidrmatch(destination.ip, "127.0.0.1", "::1") and
not dns.question.name : (
"localhost",
"dc.services.visualstudio.com",
"vortex.data.microsoft.com",
"api.nuget.org")]
Install detection rules in Elastic Security
Detect MsBuild Making Network Connections in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).