Potentially Suspicious ASP.NET Compilation Via AspNetCompiler

calendar Jun 4, 2025 · attack.defense-evasion attack.t1127  ·
Share on: linkedin copy

Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation.

Sigma rule (View on GitHub)

 1title: Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
 2id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths
 3related:
 4    - id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild
 5      type: similar
 6    - id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File
 7      type: similar
 8    - id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec
 9      type: similar
10status: test
11description: Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation.
12references:
13    - https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/
14    - https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
15author: Nasreddine Bencherchali (Nextron Systems)
16date: 2023-08-14
17modified: 2025-02-24
18tags:
19    - attack.defense-evasion
20    - attack.t1127
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection:
26        Image|contains:
27            - ':\Windows\Microsoft.NET\Framework\'
28            - ':\Windows\Microsoft.NET\Framework64\'
29            - ':\Windows\Microsoft.NET\FrameworkArm\'
30            - ':\Windows\Microsoft.NET\FrameworkArm64\'
31        Image|endswith: '\aspnet_compiler.exe'
32        CommandLine|contains:
33            # Note: add other potential suspicious paths
34            - '\Users\Public\'
35            - '\AppData\Local\Temp\'
36            - '\AppData\Local\Roaming\'
37            - ':\Temp\'
38            - ':\Windows\Temp\'
39            - ':\Windows\System32\Tasks\'
40            - ':\Windows\Tasks\'
41    condition: selection
42falsepositives:
43    - Unknown
44level: high

References

  • Aspnet_compiler on LOLBAS

    Aspnet_Compiler.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.


    Read More

  • The Curious Case of Aspnet_Compiler.exe

    Hey all, This post will explore code execution with aspnet_compiler.exe. I’m going to outline how to use the Microsoft signed executable to load & execute a local DLL builder and quickly …


    Read More

Related rules

to-top