Assembly DLL Creation Via AspNetCompiler
Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.
Sigma rule (View on GitHub)
1title: Assembly DLL Creation Via AspNetCompiler
2id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File
3related:
4 - id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild
5 type: similar
6 - id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths
7 type: similar
8 - id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec
9 type: similar
10status: test
11description: |
12 Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.
13references:
14 - Internal Research
15author: Nasreddine Bencherchali (Nextron Systems)
16date: 2023-08-14
17tags:
18 - attack.execution
19logsource:
20 product: windows
21 category: file_event
22detection:
23 selection:
24 Image|endswith: '\aspnet_compiler.exe'
25 TargetFilename|contains|all:
26 - '\Temporary ASP.NET Files\'
27 - '\assembly\tmp\'
28 - '.dll'
29 condition: selection
30falsepositives:
31 - Legitimate assembly compilation using a build provider
32level: medium
References
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators
- AWS EC2 Startup Shell Script Change