Dynamic .NET Compilation Via Csc.EXE
Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
Sigma rule (View on GitHub)
1title: Dynamic .NET Compilation Via Csc.EXE
2id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
3status: test
4description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
5references:
6 - https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/
7 - https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
8 - https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/
9 - https://twitter.com/gN3mes1s/status/1206874118282448897
10 - https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe
11author: Florian Roth (Nextron Systems)
12date: 2019/08/24
13modified: 2023/08/02
14tags:
15 - attack.defense_evasion
16 - attack.t1027.004
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 Image|endswith: '\csc.exe'
23 CommandLine|contains:
24 - '\AppData\Local\Temp\' # User execution
25 - '\Windows\Temp\' # Admin execution
26 filter_main_programfiles:
27 # Note: this is a generic filter. You could baseline execution in your env for a more robust rule
28 ParentImage|startswith:
29 - 'C:\Program Files (x86)\' # https://twitter.com/gN3mes1s/status/1206874118282448897
30 - 'C:\Program Files\' # https://twitter.com/gN3mes1s/status/1206874118282448897
31 filter_main_sdiagnhost:
32 ParentImage: 'C:\Windows\System32\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897
33 filter_main_w3p:
34 ParentImage: 'C:\Windows\System32\inetsrv\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962
35 filter_optional_chocolatey:
36 ParentImage: 'C:\ProgramData\chocolatey\choco.exe' # Chocolatey https://chocolatey.org/
37 filter_optional_defender:
38 ParentCommandLine|contains: '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection'
39 filter_optional_ansible:
40 # Note: As ansible is widely used we exclude it with this generic filter.
41 # A better option would be to filter based on script content basis or other marker while hunting
42 ParentCommandLine|contains:
43 # '{"failed":true,"msg":"Ansible requires PowerShell v3.0 or newer"}'
44 - 'JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw'
45 - 'cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA'
46 - 'nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA'
47 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
48falsepositives:
49 - Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897
50 - Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962
51 - Ansible
52level: medium
References
Related rules
- Csc.EXE Execution Form Potentially Suspicious Parent
- Application Whitelisting Bypass via Dnx.exe
- Dynamic CSharp Compile Artefact
- Visual Basic Command Line Compiler Usage
- Masquerading as Linux Crond Process