GitHub Repo

T1127.001

Date: 2021-01-15 ID: cc9b261a-efc9-11eb-926b-550bf0943fbb Author: Michael Haag Environment: attack_range Directory: T1127.001

Description

MSBuild.exe execution simulating a suspicious spawn, renamed and moved.

MITRE ATT&CK Techniques

ID Technique Tactic
T1127.001 MSBuild Defense Evasion

Environment Details

Field Value
Environment attack_range
Directory T1127.001
Test Date 2021-01-15

Datasets

The following datasets were collected during this attack simulation:

Windows-Sysmon

  • Path: /datasets/attack_techniques/T1127.001/windows-sysmon.log
  • Sourcetype: XmlWinEventLog
  • Source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

The following detections in our security content repository use this attack data for testing:

Detection Name Type Source MITRE ATT&CK Analytic Story
MSBuild Suspicious Spawned By Script Process TTP Endpoint T1127.001 Trusted Developer Utilities Proxy Execution MSBuild, Storm-2460 CLFS Zero Day Exploitation
Suspicious msbuild path TTP Endpoint T1036.003, T1127.001 Trusted Developer Utilities Proxy Execution MSBuild, Masquerading - Rename System Utilities, Living Off The Land, Cobalt Strike, BlackByte Ransomware, Graceful Wipe Out Attack, Storm-2460 CLFS Zero Day Exploitation
Suspicious MSBuild Rename Hunting Endpoint T1036.003, T1127.001 Trusted Developer Utilities Proxy Execution MSBuild, Masquerading - Rename System Utilities, Living Off The Land, Cobalt Strike, BlackByte Ransomware, Graceful Wipe Out Attack, Storm-2460 CLFS Zero Day Exploitation
Suspicious MSBuild Spawn TTP Endpoint T1127.001 Trusted Developer Utilities Proxy Execution MSBuild, Living Off The Land, Storm-2460 CLFS Zero Day Exploitation

Usage Instructions

Replay with Splunk Attack Data

Replay attack data with replay.py from Splunk Attack Data.

1python replay.py --dataset /datasets/attack_techniques/T1127.001/windows-sysmon.log --index attack_data

Manual Import

  1. Download the dataset files from the paths listed above
  2. Configure your Splunk instance with the appropriate sourcetypes
  3. Import the logs using the Splunk Add Data wizard

Related Content

Find more detections and analytics for this attack technique in our security content repository.

Source: GitHub | Version: 1.0