Elastic Security Detection Rules

Microsoft Build Engine Started by an Office Application

Last updated 13 days ago on 2026-04-29
Created 6 years ago on 2020-03-25

About

An instance of MSBuild, the Microsoft Build Engine, was started by an Office application. This is unusual behavior for the Build Engine and could have been caused by a malicious document executing a script payload.
Tags
Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: Defense EvasionData Source: Elastic EndgameData Source: Elastic DefendData Source: Windows Security Event LogsData Source: Microsoft Defender XDRData Source: SysmonData Source: SentinelOneData Source: CrowdstrikeLanguage: eql
Severity
high
Risk Score
73
MITRE ATT&CK™

Defense Evasion (TA0005)(external, opens in a new tab or window)

Trusted Developer Utilities Proxy Execution (T1127)(external, opens in a new tab or window)

Execution (TA0002)(external, opens in a new tab or window)

User Execution (T1204)(external, opens in a new tab or window)

False Positive Examples
The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
endgame-*logs-crowdstrike.fdr*logs-endpoint.events.process-*logs-m365_defender.event-*logs-sentinel_one_cloud_funnel.*logs-system.security*logs-windows.forwarded*logs-windows.sysmon_operational-*winlogbeat-*
Related Integrations

endpoint(external, opens in a new tab or window)

windows(external, opens in a new tab or window)

system(external, opens in a new tab or window)

m365_defender(external, opens in a new tab or window)

sentinel_one_cloud_funnel(external, opens in a new tab or window)

crowdstrike(external, opens in a new tab or window)

Query
text code block:
process where host.os.type == "windows" and event.type == "start" and
  process.name : "MSBuild.exe" and
  process.parent.name : ("eqnedt32.exe",
                         "excel.exe",
                         "fltldr.exe",
                         "msaccess.exe",
                         "mspub.exe",
                         "outlook.exe",
                         "powerpnt.exe",
                         "winword.exe" )

Install detection rules in Elastic Security

Detect Microsoft Build Engine Started by an Office Application in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).