Suspicious .NET Code Compilation

calendar May 22, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Defense Evasion Tactic: Execution Data Source: Elastic Endgame Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt to compile code after delivery in order to bypass security mechanisms.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/08/21"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt to
11compile code after delivery in order to bypass security mechanisms.
12"""
13from = "now-9m"
14index = [
15    "winlogbeat-*",
16    "logs-endpoint.events.process-*",
17    "logs-windows.*",
18    "endgame-*",
19    "logs-system.security*",
20]
21language = "eql"
22license = "Elastic License v2"
23name = "Suspicious .NET Code Compilation"
24risk_score = 47
25rule_id = "201200f1-a99b-43fb-88ed-f65a45c4972c"
26setup = """## Setup
27
28If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
29events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
30Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
31`event.ingested` to @timestamp.
32For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
33"""
34severity = "medium"
35tags = [
36    "Domain: Endpoint",
37    "OS: Windows",
38    "Use Case: Threat Detection",
39    "Tactic: Defense Evasion",
40    "Tactic: Execution",
41    "Data Source: Elastic Endgame",
42    "Data Source: Elastic Defend",
43]
44timestamp_override = "event.ingested"
45type = "eql"
46
47query = '''
48process where host.os.type == "windows" and event.type == "start" and
49  process.name : ("csc.exe", "vbc.exe") and
50  process.parent.name : ("wscript.exe", "mshta.exe", "cscript.exe", "wmic.exe", "svchost.exe", "rundll32.exe", "cmstp.exe", "regsvr32.exe")
51'''
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1027"
58name = "Obfuscated Files or Information"
59reference = "https://attack.mitre.org/techniques/T1027/"
60[[rule.threat.technique.subtechnique]]
61id = "T1027.004"
62name = "Compile After Delivery"
63reference = "https://attack.mitre.org/techniques/T1027/004/"
64
65
66
67[rule.threat.tactic]
68id = "TA0005"
69name = "Defense Evasion"
70reference = "https://attack.mitre.org/tactics/TA0005/"
71[[rule.threat]]
72framework = "MITRE ATT&CK"
73[[rule.threat.technique]]
74id = "T1059"
75name = "Command and Scripting Interpreter"
76reference = "https://attack.mitre.org/techniques/T1059/"
77[[rule.threat.technique.subtechnique]]
78id = "T1059.005"
79name = "Visual Basic"
80reference = "https://attack.mitre.org/techniques/T1059/005/"
81
82
83
84[rule.threat.tactic]
85id = "TA0002"
86name = "Execution"
87reference = "https://attack.mitre.org/tactics/TA0002/"

Related rules

to-top