Dynamic .NET Compilation Via Csc.EXE

calendar Aug 23, 2023 · attack.defense_evasion attack.t1027.004  ·
Share on: linkedin copy

Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.

Sigma rule (View on GitHub)

 1title: Dynamic .NET Compilation Via Csc.EXE
 2id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
 3status: test
 4description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
 5references:
 6    - https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/
 7    - https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
 8    - https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/
 9    - https://twitter.com/gN3mes1s/status/1206874118282448897
10    - https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe
11author: Florian Roth (Nextron Systems)
12date: 2019/08/24
13modified: 2023/08/02
14tags:
15    - attack.defense_evasion
16    - attack.t1027.004
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        Image|endswith: '\csc.exe'
23        CommandLine|contains:
24            - '\AppData\Local\Temp\' # User execution
25            - '\Windows\Temp\' # Admin execution
26    filter_main_programfiles:
27        # Note: this is a generic filter. You could baseline execution in your env for a more robust rule
28        ParentImage|startswith:
29            - 'C:\Program Files (x86)\' # https://twitter.com/gN3mes1s/status/1206874118282448897
30            - 'C:\Program Files\' # https://twitter.com/gN3mes1s/status/1206874118282448897
31    filter_main_sdiagnhost:
32        ParentImage: 'C:\Windows\System32\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897
33    filter_main_w3p:
34        ParentImage: 'C:\Windows\System32\inetsrv\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962
35    filter_optional_chocolatey:
36        ParentImage: 'C:\ProgramData\chocolatey\choco.exe' # Chocolatey https://chocolatey.org/
37    filter_optional_defender:
38        ParentCommandLine|contains: '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection'
39    filter_optional_ansible:
40        # Note: As ansible is widely used we exclude it with this generic filter.
41        # A better option would be to filter based on script content basis or other marker while hunting
42        ParentCommandLine|contains:
43            # '{"failed":true,"msg":"Ansible requires PowerShell v3.0 or newer"}'
44            - 'JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw'
45            - 'cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA'
46            - 'nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA'
47    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
48falsepositives:
49    - Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897
50    - Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962
51    - Ansible
52level: medium

References

Related rules

to-top