Analytics Alerts
Browse the Cortex analytics alert reference.
1 alert match the current filters. technique: T1127 ✕
Show ATT&CK heatmapSuspicious .NET process loads an MSBuild DLL Medium
A suspicious process in the Microsoft .NET directory loaded the Microsoft Build Framework DLL. This may occur if an attacker masquerades a process like MSBuild (PowerLessShell).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Trusted Developer Utilities Proxy Execution: MSBuild (T1127.001)Required data: XDR AgentAttacker's goals: Gain code execution on the host and evade security controls.Investigative actions: Check whether the executing process is benign and if this was a desired behavior as part of its normal execution flow.