Suspicious .NET Code Compilation
Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt to compile code after delivery in order to bypass security mechanisms.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/21"
3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt to
13compile code after delivery in order to bypass security mechanisms.
14"""
15from = "now-9m"
16index = [
17 "winlogbeat-*",
18 "logs-endpoint.events.process-*",
19 "logs-windows.forwarded*",
20 "logs-windows.sysmon_operational-*",
21 "endgame-*",
22 "logs-system.security*",
23 "logs-m365_defender.event-*",
24 "logs-sentinel_one_cloud_funnel.*",
25]
26language = "eql"
27license = "Elastic License v2"
28name = "Suspicious .NET Code Compilation"
29risk_score = 47
30rule_id = "201200f1-a99b-43fb-88ed-f65a45c4972c"
31setup = """## Setup
32
33If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
34events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
35Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
36`event.ingested` to @timestamp.
37For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
38"""
39severity = "medium"
40tags = [
41 "Domain: Endpoint",
42 "OS: Windows",
43 "Use Case: Threat Detection",
44 "Tactic: Defense Evasion",
45 "Tactic: Execution",
46 "Data Source: Elastic Endgame",
47 "Data Source: Elastic Defend",
48 "Data Source: System",
49 "Data Source: Microsoft Defender for Endpoint",
50 "Data Source: Sysmon",
51 "Data Source: SentinelOne",
52]
53timestamp_override = "event.ingested"
54type = "eql"
55
56query = '''
57process where host.os.type == "windows" and event.type == "start" and
58 process.name : ("csc.exe", "vbc.exe") and
59 process.parent.name : ("wscript.exe", "mshta.exe", "cscript.exe", "wmic.exe", "svchost.exe", "rundll32.exe", "cmstp.exe", "regsvr32.exe")
60'''
61
62
63[[rule.threat]]
64framework = "MITRE ATT&CK"
65[[rule.threat.technique]]
66id = "T1027"
67name = "Obfuscated Files or Information"
68reference = "https://attack.mitre.org/techniques/T1027/"
69[[rule.threat.technique.subtechnique]]
70id = "T1027.004"
71name = "Compile After Delivery"
72reference = "https://attack.mitre.org/techniques/T1027/004/"
73
74
75
76[rule.threat.tactic]
77id = "TA0005"
78name = "Defense Evasion"
79reference = "https://attack.mitre.org/tactics/TA0005/"
80[[rule.threat]]
81framework = "MITRE ATT&CK"
82[[rule.threat.technique]]
83id = "T1059"
84name = "Command and Scripting Interpreter"
85reference = "https://attack.mitre.org/techniques/T1059/"
86[[rule.threat.technique.subtechnique]]
87id = "T1059.005"
88name = "Visual Basic"
89reference = "https://attack.mitre.org/techniques/T1059/005/"
90
91
92
93[rule.threat.tactic]
94id = "TA0002"
95name = "Execution"
96reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- Clearing Windows Console History
- Control Panel Process with Unusual Arguments
- Disabling Windows Defender Security Settings via PowerShell
- Execution from Unusual Directory - Command Line
- ImageLoad via Windows Update Auto Update Client