DET0556 Behavior-chain detection strategy for T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild (Windows)
| Item |
Value |
| ID |
DET0556 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1127.001 (MSBuild)
Analytics
Windows
AN1535
MSBuild.exe is invoked outside expected developer/build contexts or with anomalous arguments (e.g., non-canonical paths, remote shares, Base64/obfuscated property values). Within a short window, it (a) spawns high-risk LOLBins/script interpreters, (b) writes new PE/DLL/script artifacts into user-writable paths and executes them, (c) loads unsigned/user-writable modules, (d) performs memory injection/thread creation into other processes, and/or (e) initiates outbound network connections.
Log Sources
Mutable Elements
| Field |
Description |
| TimeWindow |
Correlation window between msbuild.exe start, payload write, suspicious child spawn, and network (e.g., 0–30 minutes). |
| DeveloperHosts |
Tag/allowlist known developer or CI/CD hosts to reduce noise. |
| SuspiciousChildList |
High-risk children (powershell.exe, rundll32.exe, regsvr32.exe, cmd.exe, wscript.exe, mshta.exe) spawned by msbuild.exe. |
| RarePathRegex |
Regex of user-writable or atypical paths (e.g., %TEMP%, %APPDATA%, OneDrive sync dirs) used to drop payloads. |
| UnsignedOrInvalidSignatureOnly |
Tighten alerting to cases with invalid or missing signatures on modules/children. |
| NetworkReputationThreshold |
Minimum rarity/risk score for external destinations to alert. |
| BehaviorRiskScoreThreshold |
Numeric threshold for fused, scored correlation (e.g., ≥70/100 triggers an alert). |