Suspicious Msbuild Execution By Uncommon Parent Process

Rule Info

Name
Suspicious Msbuild Execution By Uncommon Parent Process
Author
frack113
Description
Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process
Reference
https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/
Date
2022-11-17 00:00:00
Modified
None
Id
33be4333-2c6b-44f4-ae28-102cdbde0a31
Tags
attack.defense_evasion DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=33be4333-2c6b-44f4-ae28-102cdbde0a31

Rule History

Author
Title
Date
Commit
frack113
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17
020fc8061
Nasreddine Bencherchali
feat: more updates
2023-03-06
e3503d5d6
frack113
Add proc_creation_win_susp_msbuild (#3708)
2022-11-18
cd3082c3f
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022