/
suspicious_msbuild_spawn.yml
83 lines (83 loc) · 3.02 KB
/
suspicious_msbuild_spawn.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
name: Suspicious MSBuild Spawn
id: a115fba6-5514-11eb-ae93-0242ac130002
version: 2
date: '2021-01-12'
author: Michael Haag, Splunk
type: TTP
datamodel:
- Endpoint
description: The following analytic identifies wmiprvse.exe spawning msbuild.exe.
This behavior is indicative of a COM object being utilized to spawn msbuild from
wmiprvse.exe. It is common for MSBuild.exe to be spawned from devenv.exe while using
Visual Studio. In this instance, there will be command line arguments and file paths.
In a malicious instance, MSBuild.exe will spawn from non-standard processes and
have no command line arguments. For example, MSBuild.exe spawning from explorer.exe,
powershell.exe is far less common and should be investigated.
search: '| tstats `security_content_summariesonly` count values(Processes.process_name)
as process_name values(Processes.process) as process min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wmiprvse.exe
AND `process_msbuild` by Processes.dest Processes.parent_process Processes.original_file_name
Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `suspicious_msbuild_spawn_filter`'
how_to_implement: To successfully implement this search you need to be ingesting information
on process that include the name of the process responsible for the changes from
your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition,
confirm the latest CIM App 4.20 or higher is installed and the latest TA for the
endpoint product.
known_false_positives: Although unlikely, some legitimate applications may exhibit
this behavior, triggering a false positive.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Msbuild/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md
tags:
analytic_story:
- Trusted Developer Utilities Proxy Execution MSBuild
asset_type: Endpoint
automated_detection_testing: passed
cis20:
- CIS 8
confidence: 60
context:
- Source:Endpoint
- Stage:Defense Evasion
- Stage:Execution
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1127.001/windows-sysmon.log
impact: 70
kill_chain_phases:
- Exploitation
message: Suspicious msbuild.exe process executed on $dest$ by $user$
mitre_attack_id:
- T1127
- T1127.001
nist:
- PR.PT
- DE.CM
observable:
- name: dest
type: Endpoint
role:
- Victim
- name: User
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Processes.dest
- Processes.user
- Processes.parent_process_name
- Processes.parent_process
- Processes.original_file_name
- Processes.process_name
- Processes.process
- Processes.process_id
- Processes.parent_process_path
- Processes.process_path
- Processes.parent_process_id
risk_score: 42
security_domain: endpoint