Suspicious .NET Code Compilation

calendar Nov 4, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Defense Evasion Tactic: Execution Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: System Data Source: Microsoft Defender for Endpoint Data Source: Sysmon Data Source: SentinelOne Data Source: Crowdstrike  ·
Share on: linkedin copy

Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt to compile code after delivery in order to bypass security mechanisms.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/08/21"
 3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 4maturity = "production"
 5updated_date = "2024/10/31"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt to
13compile code after delivery in order to bypass security mechanisms.
14"""
15from = "now-9m"
16index = [
17    "winlogbeat-*",
18    "logs-endpoint.events.process-*",
19    "logs-windows.forwarded*",
20    "logs-windows.sysmon_operational-*",
21    "endgame-*",
22    "logs-system.security*",
23    "logs-m365_defender.event-*",
24    "logs-sentinel_one_cloud_funnel.*",
25    "logs-crowdstrike.fdr*",
26]
27language = "eql"
28license = "Elastic License v2"
29name = "Suspicious .NET Code Compilation"
30risk_score = 47
31rule_id = "201200f1-a99b-43fb-88ed-f65a45c4972c"
32severity = "medium"
33tags = [
34    "Domain: Endpoint",
35    "OS: Windows",
36    "Use Case: Threat Detection",
37    "Tactic: Defense Evasion",
38    "Tactic: Execution",
39    "Data Source: Elastic Endgame",
40    "Data Source: Elastic Defend",
41    "Data Source: System",
42    "Data Source: Microsoft Defender for Endpoint",
43    "Data Source: Sysmon",
44    "Data Source: SentinelOne",
45    "Data Source: Crowdstrike",
46]
47timestamp_override = "event.ingested"
48type = "eql"
49
50query = '''
51process where host.os.type == "windows" and event.type == "start" and
52  process.name : ("csc.exe", "vbc.exe") and
53  process.parent.name : ("wscript.exe", "mshta.exe", "cscript.exe", "wmic.exe", "svchost.exe", "rundll32.exe", "cmstp.exe", "regsvr32.exe")
54'''
55
56
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59[[rule.threat.technique]]
60id = "T1027"
61name = "Obfuscated Files or Information"
62reference = "https://attack.mitre.org/techniques/T1027/"
63[[rule.threat.technique.subtechnique]]
64id = "T1027.004"
65name = "Compile After Delivery"
66reference = "https://attack.mitre.org/techniques/T1027/004/"
67
68
69
70[rule.threat.tactic]
71id = "TA0005"
72name = "Defense Evasion"
73reference = "https://attack.mitre.org/tactics/TA0005/"
74[[rule.threat]]
75framework = "MITRE ATT&CK"
76[[rule.threat.technique]]
77id = "T1059"
78name = "Command and Scripting Interpreter"
79reference = "https://attack.mitre.org/techniques/T1059/"
80[[rule.threat.technique.subtechnique]]
81id = "T1059.005"
82name = "Visual Basic"
83reference = "https://attack.mitre.org/techniques/T1059/005/"
84
85
86
87[rule.threat.tactic]
88id = "TA0002"
89name = "Execution"
90reference = "https://attack.mitre.org/tactics/TA0002/"

Related rules

to-top