T1127.001

MSBuild

Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations. Adversaries can abuse MSBuild to proxy execution of malicious code via the inline task capability introduced in .NET 4, which allows C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. Because MSBuild.exe is a signed Microsoft binary, this technique can execute arbitrary code and bypass application control defenses configured to allow MSBuild.exe execution. Threat actors including PlugX malware and the Empire framework have used this technique to load shellcode and proxy malicious execution.

Microsoft Sentinel / Defender

kusto

let SuspiciousParents = dynamic(["cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","mshta.exe","explorer.exe","outlook.exe","winword.exe","excel.exe","powerpnt.exe","rundll32.exe","regsvr32.exe","wmic.exe"]);
let SuspiciousChildProcesses = dynamic(["cmd.exe","powershell.exe","pwsh.exe","net.exe","net1.exe","whoami.exe","ipconfig.exe","nltest.exe","certutil.exe","bitsadmin.exe","regsvr32.exe","rundll32.exe","mshta.exe","wscript.exe","cscript.exe","schtasks.exe","at.exe","reg.exe","sc.exe","curl.exe","wget.exe"]);
let SuspiciousPaths = dynamic(["\\Temp\\","\\AppData\\Local\\","\\AppData\\Roaming\\","\\ProgramData\\","\\Users\\Public\\","\\Windows\\Tasks\\","\\Desktop\\","\\Downloads\\"]);
// Branch 1: MSBuild spawning suspicious child processes
let MSBuildChildProcs = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "MSBuild.exe"
| where FileName has_any (SuspiciousChildProcesses)
| extend DetectionBranch = "MSBuild spawned suspicious child process"
| extend RiskScore = 90;
// Branch 2: MSBuild executed from suspicious parent (non-build tooling)
let MSBuildSuspiciousParent = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "MSBuild.exe"
| where InitiatingProcessFileName has_any (SuspiciousParents)
| extend DetectionBranch = "MSBuild launched by suspicious parent"
| extend RiskScore = 80;
// Branch 3: MSBuild loading project files from suspicious paths
let MSBuildSuspiciousPaths = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "MSBuild.exe"
| where ProcessCommandLine has_any (SuspiciousPaths)
| extend DetectionBranch = "MSBuild project file in suspicious path"
| extend RiskScore = 75;
// Branch 4: MSBuild executed with no project file argument (inline exec via stdin or empty invocation)
let MSBuildNoArgs = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "MSBuild.exe"
| where isempty(ProcessCommandLine) or ProcessCommandLine =~ "MSBuild.exe"
| extend DetectionBranch = "MSBuild executed with no arguments"
| extend RiskScore = 60;
union MSBuildChildProcs, MSBuildSuspiciousParent, MSBuildSuspiciousPaths, MSBuildNoArgs
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessAccountName, FolderPath, DetectionBranch, RiskScore
| sort by RiskScore desc, Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate software builds initiated from PowerShell or cmd.exe wrappers in CI/CD pipelines (e.g., Azure DevOps agents, GitHub Actions runners, Jenkins agents running on Windows)
Visual Studio extensions and IDE tooling that invoke MSBuild programmatically from non-standard parent contexts
.NET SDK tooling (dotnet.exe) that shells out to MSBuild.exe during restore, build, or publish operations
Developer workstations where engineers invoke MSBuild manually from terminals for testing build scripts in temp directories
Third-party installers (e.g., Chocolatey packages, software installers) that compile .NET components during installation

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image=lower(Image), ParentImage=lower(ParentImage), CommandLine=lower(CommandLine)
| eval IsMSBuild=if(match(Image, "msbuild\.exe$"), 1, 0)
| eval MSBuildIsParent=if(match(ParentImage, "msbuild\.exe$"), 1, 0)
`comment("Branch 1: MSBuild as parent spawning suspicious child processes")`
| eval SuspiciousChild=if(MSBuildIsParent=1 AND match(Image, "(cmd\.exe|powershell\.exe|pwsh\.exe|net\.exe|net1\.exe|whoami\.exe|certutil\.exe|bitsadmin\.exe|regsvr32\.exe|rundll32\.exe|mshta\.exe|wscript\.exe|cscript\.exe|schtasks\.exe|reg\.exe|sc\.exe|curl\.exe|wget\.exe|nltest\.exe|ipconfig\.exe)$"), 1, 0)
`comment("Branch 2: MSBuild launched by suspicious parent process")`
| eval SuspiciousParent=if(IsMSBuild=1 AND match(ParentImage, "(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|explorer\.exe|outlook\.exe|winword\.exe|excel\.exe|powerpnt\.exe|rundll32\.exe|regsvr32\.exe|wmic\.exe)$"), 1, 0)
`comment("Branch 3: MSBuild loading project file from suspicious path")`
| eval SuspiciousProjectPath=if(IsMSBuild=1 AND match(CommandLine, "(\\\\temp\\\\|\\\\appdata\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\|\\\\windows\\\\tasks\\\\|\\\\downloads\\\\|\\\\desktop\\\\)"), 1, 0)
`comment("Branch 4: MSBuild with no meaningful project file argument")`
| eval NoProjectFile=if(IsMSBuild=1 AND (len(trim(CommandLine))=0 OR CommandLine="msbuild.exe"), 1, 0)
| eval RiskScore=case(
    SuspiciousChild=1, 90,
    SuspiciousParent=1, 80,
    SuspiciousProjectPath=1, 75,
    NoProjectFile=1, 60,
    true(), 0)
| eval DetectionBranch=case(
    SuspiciousChild=1, "MSBuild spawned suspicious child process",
    SuspiciousParent=1, "MSBuild launched by suspicious parent",
    SuspiciousProjectPath=1, "MSBuild project file in suspicious path",
    NoProjectFile=1, "MSBuild executed with no arguments",
    true(), "none")
| where RiskScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionBranch, RiskScore
| sort - RiskScore, - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate software builds initiated from PowerShell or cmd.exe wrappers in CI/CD pipelines (Azure DevOps, GitHub Actions, Jenkins on Windows)
Visual Studio and .NET SDK tooling invoking MSBuild programmatically from non-standard parent contexts
Third-party installers that compile .NET components during software installation
Developer workstations where engineers run MSBuild from terminal emulators for testing

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
[
  process where event.type == "start" and
  (
    /* Branch 2: MSBuild launched by suspicious parent */
    (process.name : "MSBuild.exe" and
     process.parent.name : ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","mshta.exe","explorer.exe","outlook.exe","winword.exe","excel.exe","powerpnt.exe","rundll32.exe","regsvr32.exe","wmic.exe"))
    or
    /* Branch 3: MSBuild loading project file from suspicious path */
    (process.name : "MSBuild.exe" and
     process.args : ("*\\Temp\\*","*\\AppData\\Local\\*","*\\AppData\\Roaming\\*","*\\ProgramData\\*","*\\Users\\Public\\*","*\\Windows\\Tasks\\*","*\\Desktop\\*","*\\Downloads\\*"))
    or
    /* Branch 4: MSBuild with no arguments */
    (process.name : "MSBuild.exe" and
     (process.args_count == 0 or process.command_line : "MSBuild.exe"))
  )
]

/* Standalone Branch 1: MSBuild spawning suspicious child processes */
pipe
process where event.type == "start" and
  process.parent.name : "MSBuild.exe" and
  process.name : ("cmd.exe","powershell.exe","pwsh.exe","net.exe","net1.exe","whoami.exe","ipconfig.exe","nltest.exe","certutil.exe","bitsadmin.exe","regsvr32.exe","rundll32.exe","mshta.exe","wscript.exe","cscript.exe","schtasks.exe","at.exe","reg.exe","sc.exe","curl.exe","wget.exe")

high severity high confidence

Data Sources

Windows Endpoint Logs via Elastic Agent Sysmon via Winlogbeat Elastic Endpoint Security

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate software developers invoking MSBuild.exe from command prompts or PowerShell during active development or CI/CD pipelines
MSBuild triggered by Visual Studio or development IDEs that launch cmd.exe or PowerShell as part of post-build events or test runners
Automated build systems (Jenkins, Azure DevOps agents, TeamCity) that run MSBuild from scripts and may spawn post-build tools like certutil for signing

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "sourceip",
  QIDNAME(qid) AS event_name,
  "ProcessName",
  "ParentProcessName",
  "CommandLine",
  CASE
    WHEN LOWER("ParentProcessName") LIKE '%msbuild.exe' AND
         REGEXP_CONTAINS(LOWER("ProcessName"), '(cmd\.exe|powershell\.exe|pwsh\.exe|net\.exe|net1\.exe|whoami\.exe|certutil\.exe|bitsadmin\.exe|regsvr32\.exe|rundll32\.exe|mshta\.exe|wscript\.exe|cscript\.exe|schtasks\.exe|reg\.exe|sc\.exe|curl\.exe|wget\.exe|nltest\.exe|ipconfig\.exe)$')
    THEN 90
    WHEN LOWER("ProcessName") LIKE '%msbuild.exe' AND
         REGEXP_CONTAINS(LOWER("ParentProcessName"), '(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|explorer\.exe|outlook\.exe|winword\.exe|excel\.exe|powerpnt\.exe|rundll32\.exe|regsvr32\.exe|wmic\.exe)$')
    THEN 80
    WHEN LOWER("ProcessName") LIKE '%msbuild.exe' AND
         REGEXP_CONTAINS(LOWER("CommandLine"), '(\\\\temp\\\\|\\\\appdata\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\|\\\\windows\\\\tasks\\\\|\\\\downloads\\\\|\\\\desktop\\\\)')
    THEN 75
    WHEN LOWER("ProcessName") LIKE '%msbuild.exe' AND
         ("CommandLine" IS NULL OR LOWER(TRIM("CommandLine")) = 'msbuild.exe')
    THEN 60
    ELSE 0
  END AS risk_score,
  CASE
    WHEN LOWER("ParentProcessName") LIKE '%msbuild.exe' AND
         REGEXP_CONTAINS(LOWER("ProcessName"), '(cmd\.exe|powershell\.exe|pwsh\.exe|net\.exe|net1\.exe|whoami\.exe|certutil\.exe|bitsadmin\.exe|regsvr32\.exe|rundll32\.exe|mshta\.exe|wscript\.exe|cscript\.exe|schtasks\.exe|reg\.exe|sc\.exe|curl\.exe|wget\.exe|nltest\.exe|ipconfig\.exe)$')
    THEN 'MSBuild spawned suspicious child process'
    WHEN LOWER("ProcessName") LIKE '%msbuild.exe' AND
         REGEXP_CONTAINS(LOWER("ParentProcessName"), '(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|explorer\.exe|outlook\.exe|winword\.exe|excel\.exe|powerpnt\.exe|rundll32\.exe|regsvr32\.exe|wmic\.exe)$')
    THEN 'MSBuild launched by suspicious parent'
    WHEN LOWER("ProcessName") LIKE '%msbuild.exe' AND
         REGEXP_CONTAINS(LOWER("CommandLine"), '(\\\\temp\\\\|\\\\appdata\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\|\\\\windows\\\\tasks\\\\|\\\\downloads\\\\|\\\\desktop\\\\)')
    THEN 'MSBuild project file in suspicious path'
    WHEN LOWER("ProcessName") LIKE '%msbuild.exe' AND
         ("CommandLine" IS NULL OR LOWER(TRIM("CommandLine")) = 'msbuild.exe')
    THEN 'MSBuild executed with no arguments'
    ELSE 'none'
  END AS detection_branch
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 14, 15)  -- Windows Security, Sysmon, System, Application
  AND starttime > NOW() - 86400 SECONDS
  AND (
    (LOWER("ParentProcessName") LIKE '%msbuild.exe' AND "ProcessName" IS NOT NULL)
    OR
    LOWER("ProcessName") LIKE '%msbuild.exe'
  )
  AND (
    CASE
      WHEN LOWER("ParentProcessName") LIKE '%msbuild.exe' AND
           REGEXP_CONTAINS(LOWER("ProcessName"), '(cmd\.exe|powershell\.exe|pwsh\.exe|net\.exe|net1\.exe|whoami\.exe|certutil\.exe|bitsadmin\.exe|regsvr32\.exe|rundll32\.exe|mshta\.exe|wscript\.exe|cscript\.exe|schtasks\.exe|reg\.exe|sc\.exe|curl\.exe|wget\.exe|nltest\.exe|ipconfig\.exe)$')
      THEN TRUE
      WHEN LOWER("ProcessName") LIKE '%msbuild.exe' AND
           REGEXP_CONTAINS(LOWER("ParentProcessName"), '(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|explorer\.exe|outlook\.exe|winword\.exe|excel\.exe|powerpnt\.exe|rundll32\.exe|regsvr32\.exe|wmic\.exe)$')
      THEN TRUE
      WHEN LOWER("ProcessName") LIKE '%msbuild.exe' AND
           REGEXP_CONTAINS(LOWER("CommandLine"), '(\\\\temp\\\\|\\\\appdata\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\|\\\\windows\\\\tasks\\\\|\\\\downloads\\\\|\\\\desktop\\\\)')
      THEN TRUE
      WHEN LOWER("ProcessName") LIKE '%msbuild.exe' AND
           ("CommandLine" IS NULL OR LOWER(TRIM("CommandLine")) = 'msbuild.exe')
      THEN TRUE
      ELSE FALSE
    END
  )
ORDER BY risk_score DESC, starttime DESC

high severity medium confidence

Data Sources

QRadar Windows Security Event Log DSM QRadar Microsoft Sysmon DSM

Required Tables

events

False Positives

Developer workstations where MSBuild is invoked directly from PowerShell or cmd.exe during regular software development workflows
CI/CD agents that chain MSBuild invocations via scripts and produce post-build child processes like certutil or reg.exe for packaging
Software packaging tools (WiX Toolset, NuGet) that invoke MSBuild from explorer context menus or non-standard parent processes

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*winevent*
| where _raw matches /(?i)msbuild\.exe/
| parse regex field=_raw "(?i)<Image>(?<Image>[^<]+)</Image>" nodrop
| parse regex field=_raw "(?i)<ParentImage>(?<ParentImage>[^<]+)</ParentImage>" nodrop
| parse regex field=_raw "(?i)<CommandLine>(?<CommandLine>[^<]+)</CommandLine>" nodrop
| parse regex field=_raw "(?i)<User>(?<User>[^<]+)</User>" nodrop
| parse regex field=_raw "(?i)<Computer>(?<Computer>[^<]+)</Computer>" nodrop
| parse regex field=_raw "(?i)<ParentCommandLine>(?<ParentCommandLine>[^<]+)</ParentCommandLine>" nodrop
| eval Image = toLowerCase(Image)
| eval ParentImage = toLowerCase(ParentImage)
| eval CommandLine = toLowerCase(CommandLine)
| eval IsMSBuild = if(matches(Image, ".*msbuild\\.exe$"), 1, 0)
| eval MSBuildIsParent = if(matches(ParentImage, ".*msbuild\\.exe$"), 1, 0)
| eval SuspiciousChild = if(
    MSBuildIsParent == 1 AND matches(Image, ".*(cmd\\.exe|powershell\\.exe|pwsh\\.exe|net\\.exe|net1\\.exe|whoami\\.exe|certutil\\.exe|bitsadmin\\.exe|regsvr32\\.exe|rundll32\\.exe|mshta\\.exe|wscript\\.exe|cscript\\.exe|schtasks\\.exe|reg\\.exe|sc\\.exe|curl\\.exe|wget\\.exe|nltest\\.exe|ipconfig\\.exe)$"),
    1, 0)
| eval SuspiciousParent = if(
    IsMSBuild == 1 AND matches(ParentImage, ".*(cmd\\.exe|powershell\\.exe|pwsh\\.exe|wscript\\.exe|cscript\\.exe|mshta\\.exe|explorer\\.exe|outlook\\.exe|winword\\.exe|excel\\.exe|powerpnt\\.exe|rundll32\\.exe|regsvr32\\.exe|wmic\\.exe)$"),
    1, 0)
| eval SuspiciousProjectPath = if(
    IsMSBuild == 1 AND matches(CommandLine, ".*(\\\\temp\\\\|\\\\appdata\\\\|\\\\programdata\\\\|\\\\users\\\\public\\\\|\\\\windows\\\\tasks\\\\|\\\\downloads\\\\|\\\\desktop\\\\).*"),
    1, 0)
| eval NoProjectFile = if(
    IsMSBuild == 1 AND (isNull(CommandLine) OR trim(CommandLine) == "" OR CommandLine == "msbuild.exe"),
    1, 0)
| eval RiskScore = if(SuspiciousChild == 1, 90,
    if(SuspiciousParent == 1, 80,
    if(SuspiciousProjectPath == 1, 75,
    if(NoProjectFile == 1, 60, 0))))
| eval DetectionBranch = if(SuspiciousChild == 1, "MSBuild spawned suspicious child process",
    if(SuspiciousParent == 1, "MSBuild launched by suspicious parent",
    if(SuspiciousProjectPath == 1, "MSBuild project file in suspicious path",
    if(NoProjectFile == 1, "MSBuild executed with no arguments", "none"))))
| where RiskScore > 0
| fields _messagetime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionBranch, RiskScore
| sort by RiskScore, _messagetime

high severity medium confidence

Data Sources

Sumo Logic Windows Event Log Source Sumo Logic Sysmon Source via Installed Collector

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon*

False Positives

Legitimate build pipelines on developer machines that invoke MSBuild from cmd.exe or PowerShell terminal sessions
MSBuild used by game development tools (Unity, Unreal) or audio plugins that write temporary project files to AppData during asset compilation
IT automation scripts that invoke MSBuild as part of patch management or software deployment workflows from explorer.exe or scripted wrappers

Google Chronicle / SecOps

yaral

rule msbuild_proxy_execution_t1127_001 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects MSBuild.exe abuse for proxy execution of malicious code via inline task capability (T1127.001). Covers suspicious child process spawning, suspicious parent ancestry, project files in writable paths, and no-argument invocations."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1127.001"
    reference = "https://attack.mitre.org/techniques/T1127/001/"
    created = "2026-04-18"

  events:
    (
      /* Branch 1: MSBuild spawning suspicious child processes */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.principal.process.file.full_path, `(?i)msbuild\.exe$`)
        and re.regex($e.target.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|net\.exe|net1\.exe|whoami\.exe|ipconfig\.exe|nltest\.exe|certutil\.exe|bitsadmin\.exe|regsvr32\.exe|rundll32\.exe|mshta\.exe|wscript\.exe|cscript\.exe|schtasks\.exe|at\.exe|reg\.exe|sc\.exe|curl\.exe|wget\.exe)$`)
      )
      or
      /* Branch 2: MSBuild launched by suspicious parent */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.target.process.file.full_path, `(?i)msbuild\.exe$`)
        and re.regex($e.principal.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|explorer\.exe|outlook\.exe|winword\.exe|excel\.exe|powerpnt\.exe|rundll32\.exe|regsvr32\.exe|wmic\.exe)$`)
      )
      or
      /* Branch 3: MSBuild loading project file from suspicious path */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.target.process.file.full_path, `(?i)msbuild\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(\\temp\\|\\appdata\\local\\|\\appdata\\roaming\\|\\programdata\\|\\users\\public\\|\\windows\\tasks\\|\\desktop\\|\\downloads\\)`)
      )
      or
      /* Branch 4: MSBuild with no meaningful arguments */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.target.process.file.full_path, `(?i)msbuild\.exe$`)
        and (
          not $e.target.process.command_line != ""
          or re.regex($e.target.process.command_line, `(?i)^msbuild\.exe\s*$`)
        )
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM via Windows Forwarding Chronicle Ingestion API with Sysmon parser Google Chronicle with CrowdStrike Falcon parser

Required Tables

UDM PROCESS_LAUNCH events

False Positives

Enterprise developer workstations where developers regularly invoke MSBuild directly from PowerShell or cmd.exe terminals during active coding sessions
Automated deployment systems such as Octopus Deploy or TeamCity agents that execute MSBuild as a build step and subsequently call child tools like reg.exe or sc.exe for service registration
Visual Studio project templates or extension installers that spawn MSBuild from explorer.exe or winword.exe during document macro execution via legitimate Office integration scenarios

CrowdStrike LogScale (CQL)

cql

// T1127.001 — MSBuild Proxy Execution Detection
// Branch 1: MSBuild spawning suspicious child processes (RiskScore 90)
#repo=base_sensor
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)^msbuild\.exe$/
| FileName = /(?i)^(cmd\.exe|powershell\.exe|pwsh\.exe|net\.exe|net1\.exe|whoami\.exe|ipconfig\.exe|nltest\.exe|certutil\.exe|bitsadmin\.exe|regsvr32\.exe|rundll32\.exe|mshta\.exe|wscript\.exe|cscript\.exe|schtasks\.exe|at\.exe|reg\.exe|sc\.exe|curl\.exe|wget\.exe)$/
| RiskScore := 90
| DetectionBranch := "MSBuild spawned suspicious child process"

| union (
  // Branch 2: MSBuild launched by suspicious parent (RiskScore 80)
  #repo=base_sensor
  #event_simpleName=ProcessRollup2
  | FileName = /(?i)^msbuild\.exe$/
  | ParentBaseFileName = /(?i)^(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|explorer\.exe|outlook\.exe|winword\.exe|excel\.exe|powerpnt\.exe|rundll32\.exe|regsvr32\.exe|wmic\.exe)$/
  | RiskScore := 80
  | DetectionBranch := "MSBuild launched by suspicious parent"
)

| union (
  // Branch 3: MSBuild loading project file from suspicious path (RiskScore 75)
  #repo=base_sensor
  #event_simpleName=ProcessRollup2
  | FileName = /(?i)^msbuild\.exe$/
  | CommandLine = /(?i)(\\temp\\|\\appdata\\local\\|\\appdata\\roaming\\|\\programdata\\|\\users\\public\\|\\windows\\tasks\\|\\desktop\\|\\downloads\\)/
  | RiskScore := 75
  | DetectionBranch := "MSBuild project file in suspicious path"
)

| union (
  // Branch 4: MSBuild executed with no arguments (RiskScore 60)
  #repo=base_sensor
  #event_simpleName=ProcessRollup2
  | FileName = /(?i)^msbuild\.exe$/
  | CommandLine = /(?i)^msbuild\.exe\s*$/
  | RiskScore := 60
  | DetectionBranch := "MSBuild executed with no arguments"
)

| select([@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, TargetProcessId, RiskScore, DetectionBranch])
| sort(RiskScore, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor ProcessRollup2 events CrowdStrike Falcon base_sensor repository

Required Tables

ProcessRollup2

False Positives

Software developers running MSBuild directly from PowerShell or cmd.exe terminals on development endpoints enrolled in the Falcon sensor fleet
DevOps build agents (e.g., GitHub Actions self-hosted runners, Jenkins executors) that chain MSBuild with post-build child processes such as certutil for code signing or reg.exe for COM registration
MSBuild invoked by package manager tooling (vcpkg, Chocolatey) that writes temporary project files to AppData or Temp directories as part of normal package compilation

Last updated: 2026-04-18 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1127.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

MSBuild

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections