Dynamic CSharp Compile Artefact
When C# is compiled dynamically, a .cmdline file will be created as a part of the process. Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution
Sigma rule (View on GitHub)
1title: Dynamic CSharp Compile Artefact
2id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
3status: test
4description: |
5 When C# is compiled dynamically, a .cmdline file will be created as a part of the process.
6 Certain processes are not typically observed compiling C# code, but can do so without touching disk.
7 This can be used to unpack a payload for execution
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile
10author: frack113
11date: 2022/01/09
12modified: 2023/02/17
13tags:
14 - attack.defense_evasion
15 - attack.t1027.004
16logsource:
17 product: windows
18 category: file_event
19detection:
20 selection:
21 TargetFilename|endswith: '.cmdline'
22 condition: selection
23falsepositives:
24 - Unknown
25level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Visual Basic Command Line Compiler Usage
- File Deleted Via Sysinternals SDelete
- Powerup Write Hijack DLL
- TeamViewer Log File Deleted
- RDP Port Forwarding Rule Added Via Netsh.EXE