Suspicious .NET Code Compilation

  1[metadata]
  2creation_date = "2020/08/21"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt to
 11compile code after delivery in order to bypass security mechanisms.
 12"""
 13from = "now-9m"
 14index = [
 15    "endgame-*",
 16    "logs-crowdstrike.fdr*",
 17    "logs-endpoint.events.process-*",
 18    "logs-m365_defender.event-*",
 19    "logs-sentinel_one_cloud_funnel.*",
 20    "logs-system.security*",
 21    "logs-windows.forwarded*",
 22    "logs-windows.sysmon_operational-*",
 23    "winlogbeat-*",
 24]
 25language = "eql"
 26license = "Elastic License v2"
 27name = "Suspicious .NET Code Compilation"
 28note = """## Triage and analysis
 29
 30> **Disclaimer**:
 31> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 32
 33### Investigating Suspicious .NET Code Compilation
 34
 35.NET compilers like `csc.exe` and `vbc.exe` are integral to compiling C# and VB.NET code, respectively, in Windows environments. Adversaries exploit these compilers by executing them with unusual parent processes, such as scripting engines or system utilities, to compile malicious code stealthily. The detection rule identifies such anomalies by monitoring compiler executions initiated by suspicious parent processes, signaling potential evasion or execution tactics.
 36
 37### Possible investigation steps
 38
 39- Review the process tree to understand the relationship between the suspicious parent process (e.g., wscript.exe, mshta.exe) and the .NET compiler process (csc.exe or vbc.exe) to determine if the execution flow is typical or anomalous.
 40- Examine the command-line arguments used by the .NET compiler process to identify any potentially malicious code or scripts being compiled.
 41- Check the user account associated with the process execution to determine if it aligns with expected behavior or if it indicates potential compromise or misuse.
 42- Investigate the source and integrity of the parent process executable to ensure it has not been tampered with or replaced by a malicious version.
 43- Correlate the event with other security alerts or logs from the same host or user to identify any patterns or additional indicators of compromise.
 44- Analyze network activity from the host around the time of the alert to detect any suspicious outbound connections that may indicate data exfiltration or command-and-control communication.
 45
 46### False positive analysis
 47
 48- Legitimate software development activities may trigger this rule if developers use scripting engines or system utilities to automate the compilation of .NET code. To manage this, identify and whitelist known development environments or scripts that frequently compile code using these methods.
 49- System administrators might use scripts or automation tools that invoke .NET compilers for maintenance tasks. Review and document these processes, then create exceptions for recognized administrative scripts to prevent unnecessary alerts.
 50- Some enterprise applications may use .NET compilers as part of their normal operation, especially if they dynamically generate or compile code. Investigate these applications and exclude their processes from the rule if they are verified as non-threatening.
 51- Security tools or monitoring solutions might simulate suspicious behavior for testing purposes, which could trigger this rule. Coordinate with your security team to identify such tools and exclude their activities from detection.
 52- In environments where custom scripts are frequently used for deployment or configuration, ensure these scripts are reviewed and, if safe, added to an exclusion list to reduce false positives.
 53
 54### Response and remediation
 55
 56- Immediately isolate the affected system from the network to prevent further execution or spread of potentially malicious code.
 57- Terminate any suspicious processes identified, such as `csc.exe` or `vbc.exe`, that are running with unusual parent processes.
 58- Conduct a thorough scan of the isolated system using updated antivirus and endpoint detection tools to identify and remove any malicious files or remnants.
 59- Review and analyze the execution logs to determine the source and scope of the threat, focusing on the parent processes like `wscript.exe` or `mshta.exe` that initiated the compiler execution.
 60- Restore the system from a known good backup if malicious activity is confirmed and cannot be fully remediated through cleaning.
 61- Implement application whitelisting to prevent unauthorized execution of compilers and scripting engines by non-standard parent processes.
 62- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the need for broader organizational response measures."""
 63risk_score = 47
 64rule_id = "201200f1-a99b-43fb-88ed-f65a45c4972c"
 65severity = "medium"
 66tags = [
 67    "Domain: Endpoint",
 68    "OS: Windows",
 69    "Use Case: Threat Detection",
 70    "Tactic: Defense Evasion",
 71    "Tactic: Execution",
 72    "Data Source: Elastic Endgame",
 73    "Data Source: Elastic Defend",
 74    "Data Source: Windows Security Event Logs",
 75    "Data Source: Microsoft Defender for Endpoint",
 76    "Data Source: Sysmon",
 77    "Data Source: SentinelOne",
 78    "Data Source: Crowdstrike",
 79    "Resources: Investigation Guide",
 80]
 81timestamp_override = "event.ingested"
 82type = "eql"
 83
 84query = '''
 85process where host.os.type == "windows" and event.type == "start" and
 86  process.name : ("csc.exe", "vbc.exe") and
 87  process.parent.name : ("wscript.exe", "mshta.exe", "cscript.exe", "wmic.exe", "svchost.exe", "rundll32.exe", "cmstp.exe", "regsvr32.exe")
 88'''
 89
 90
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93[[rule.threat.technique]]
 94id = "T1027"
 95name = "Obfuscated Files or Information"
 96reference = "https://attack.mitre.org/techniques/T1027/"
 97[[rule.threat.technique.subtechnique]]
 98id = "T1027.004"
 99name = "Compile After Delivery"
100reference = "https://attack.mitre.org/techniques/T1027/004/"
101
102
103
104[rule.threat.tactic]
105id = "TA0005"
106name = "Defense Evasion"
107reference = "https://attack.mitre.org/tactics/TA0005/"
108[[rule.threat]]
109framework = "MITRE ATT&CK"
110[[rule.threat.technique]]
111id = "T1059"
112name = "Command and Scripting Interpreter"
113reference = "https://attack.mitre.org/techniques/T1059/"
114[[rule.threat.technique.subtechnique]]
115id = "T1059.005"
116name = "Visual Basic"
117reference = "https://attack.mitre.org/techniques/T1059/005/"
118
119
120
121[rule.threat.tactic]
122id = "TA0002"
123name = "Execution"
124reference = "https://attack.mitre.org/tactics/TA0002/"