MSBuild.exe is invoked outside expected developer/build contexts or with anomalous arguments (e.g., non-canonical paths, remote shares, Base64/obfuscated property values). Within a short window, it (a) spawns high-risk LOLBins/script interpreters, (b) writes new PE/DLL/script artifacts into user-writable paths and executes them, (c) loads unsigned/user-writable modules, (d) performs memory injection/thread creation into other processes, and/or (e) initiates outbound network connections.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3, 22 |
| Process Modification (DC0020) | WinEventLog:Sysmon | EventCode=8 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Process Metadata (DC0034) | WinEventLog:Microsoft-Windows-CodeIntegrity/Operational | Unsigned/invalid signature modules or images loaded by msbuild.exe or its children |
| Script Execution (DC0029) | EDR:AMSI | Malicious inline C#/script blobs embedded in MSBuild projects if intercepted by AMSI-aware loaders (rare but possible via chained LOLBins) |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between msbuild.exe start, payload write, suspicious child spawn, and network (e.g., 0–30 minutes). |
| DeveloperHosts | Tag/allowlist known developer or CI/CD hosts to reduce noise. |
| SuspiciousChildList | High-risk children (powershell.exe, rundll32.exe, regsvr32.exe, cmd.exe, wscript.exe, mshta.exe) spawned by msbuild.exe. |
| RarePathRegex | Regex of user-writable or atypical paths (e.g., %TEMP%, %APPDATA%, OneDrive sync dirs) used to drop payloads. |
| UnsignedOrInvalidSignatureOnly | Tighten alerting to cases with invalid or missing signatures on modules/children. |
| NetworkReputationThreshold | Minimum rarity/risk score for external destinations to alert. |
| BehaviorRiskScoreThreshold | Numeric threshold for fused, scored correlation (e.g., ≥70/100 triggers an alert). |