1{ 2 "author": [ 3 "Elastic" 4 ], 5 "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.", 6 "false_positives": [ 7 "The Build Engine is commonly used by Windows developers but use by non-engineers is unusual." 8 ], 9 "from": "now-9m", 10 "index": [ 11 "winlogbeat-*", 12 "logs-endpoint.events.*", 13 "logs-windows.*" 14 ], 15 "language": "eql", 16 "license": "Elastic License v2", 17 "name": "Microsoft Build Engine Using an Alternate Name", 18 "query": "process where event.type in (\"start\", \"process_started\") and\n process.pe.original_file_name == \"MSBuild.exe\" and\n not process.name : \"MSBuild.exe\"\n", 19 "risk_score": 21, 20 "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", 21 "severity": "low", 22 "tags": [ 23 "Elastic", 24 "Host", 25 "Windows", 26 "Threat Detection", 27 "Defense Evasion" 28 ], 29 "threat": [ 30 { 31 "framework": "MITRE ATT&CK", 32 "tactic": { 33 "id": "TA0005", 34 "name": "Defense Evasion", 35 "reference": "https://attack.mitre.org/tactics/TA0005/" 36 }, 37 "technique": [ 38 { 39 "id": "T1036", 40 "name": "Masquerading", 41 "reference": "https://attack.mitre.org/techniques/T1036/", 42 "subtechnique": [ 43 { 44 "id": "T1036.003", 45 "name": "Rename System Utilities", 46 "reference": "https://attack.mitre.org/techniques/T1036/003/" 47 } 48 ] 49 } 50 ] 51 } 52 ], 53 "timestamp_override": "event.ingested", 54 "type": "eql", 55 "version": 9 56} 57