Suspicious Child Process of AspNetCompiler
Detects potentially suspicious child processes of "aspnet_compiler.exe".
Sigma rule (View on GitHub)
1title: Suspicious Child Process of AspNetCompiler
2id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild
3related:
4 - id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File
5 type: similar
6 - id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths
7 type: similar
8 - id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec
9 type: similar
10status: test
11description: Detects potentially suspicious child processes of "aspnet_compiler.exe".
12references:
13 - https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/
14 - https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
15author: Nasreddine Bencherchali (Nextron Systems)
16date: 2023-08-14
17tags:
18 - attack.defense-evasion
19 - attack.t1127
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection_parent:
25 ParentImage|endswith: '\aspnet_compiler.exe'
26 selection_child:
27 # Note: add other potential suspicious child processes and paths
28 - Image|endswith:
29 - '\calc.exe'
30 - '\notepad.exe'
31 - Image|contains:
32 - '\Users\Public\'
33 - '\AppData\Local\Temp\'
34 - '\AppData\Local\Roaming\'
35 - ':\Temp\'
36 - ':\Windows\Temp\'
37 - ':\Windows\System32\Tasks\'
38 - ':\Windows\Tasks\'
39 condition: all of selection_*
40falsepositives:
41 - Unknown
42level: high
References
-
Aspnet_Compiler.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
Hey all, This post will explore code execution with aspnet_compiler.exe. I’m going to outline how to use the Microsoft signed executable to load & execute a local DLL builder and quickly …
Read More
Related rules
- AspNetCompiler Execution
- C# IL Code Compilation Via Ilasm.EXE
- Detection of PowerShell Execution via Sqlps.exe
- JScript Compiler Execution
- Kavremover Dropped Binary LOLBIN Usage