kqlElastic-2.0from elastic/detection-rules
Microsoft Build Engine Started an Unusual Process
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
host.os.type:windows and event.category:process and event.type:start and process.parent.name:("MSBuild.exe" or "msbuild.exe") and
process.name:("csc.exe" or "iexplore.exe" or "powershell.exe")