AspNetCompiler Execution
Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.
Sigma rule (View on GitHub)
1title: AspNetCompiler Execution
2id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec
3related:
4 - id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild
5 type: similar
6 - id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File
7 type: similar
8 - id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths
9 type: similar
10status: test
11description: Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.
12references:
13 - https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/
14 - https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
15author: frack113
16date: 2021/11/24
17modified: 2023/08/14
18tags:
19 - attack.defense_evasion
20 - attack.t1127
21logsource:
22 category: process_creation
23 product: windows
24detection:
25 selection:
26 Image|contains:
27 - 'C:\Windows\Microsoft.NET\Framework\'
28 - 'C:\Windows\Microsoft.NET\Framework64\'
29 Image|endswith: '\aspnet_compiler.exe'
30 condition: selection
31falsepositives:
32 - Unknown
33level: medium
References
-
Execute C# code with the Build Provider and proper folder structure in place. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -...
Read More -
Hey all, This post will explore code execution with aspnet_compiler.exe. I’m going to outline how to use the Microsoft signed executable to load & execute a local DLL builder and quickly …
Read More
Related rules
- Potential Mftrace.EXE Abuse
- Detection of PowerShell Execution via Sqlps.exe
- SQL Client Tools PowerShell Session Detection
- Microsoft Workflow Compiler Execution
- Potential Binary Proxy Execution Via VSDiagnostics.EXE