Rules: Renamed MSBUILD.EXE by Arguments
From FireEye Red Team Tool Countermeasures: This alert looks for renamed msbuild.exe process executions based on common command line arguments used for msbuild.exe. Attackers frequently use msbuild.exe (or renamed versions of this binary) to execute arbitrary CSharp payloads written to disk most commonly as .csproj files (though any file with an extension ending in "proj" will work) either referenced on the command line or located in the same directory as the msbuild.exe binary. The XML payload on disk should be acquired and examined to determine the functionality of the payload.
| Detail | Value |
|---|---|
| Type | Templated Match |
| Category | Defense Evasion |
| Apply Risk to Entities | device_hostname, user_username, device_ip |
| Signal Name | Renamed MSBUILD.EXE by Arguments |
| Summary Expression | Detected MSBUILD.exe command line arguments on host: {{device_hostname}} |
| Score/Severity | Static: 5 |
| Enabled by Default | True |
| Prototype | False |
| Tags | _mitreAttackTactic:TA0005, _mitreAttackTechnique:T1127.001, _mitreAttackTechnique:T1127 |
| Origin | Field |
|---|---|
| Normalized Schema | baseImage |
| Normalized Schema | commandLine |
| Normalized Schema | device_hostname |
| Normalized Schema | device_ip |
| Normalized Schema | file_path |
| Normalized Schema | parentBaseImage |
| Normalized Schema | user_username |