Dynamic .NET Compilation Via Csc.EXE

calendar Apr 9, 2024 · attack.defense_evasion attack.t1027.004  ·
Share on: linkedin copy

Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.

Sigma rule (View on GitHub)

 1title: Dynamic .NET Compilation Via Csc.EXE
 2id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
 3status: test
 4description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
 5references:
 6    - https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/
 7    - https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
 8    - https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/
 9    - https://twitter.com/gN3mes1s/status/1206874118282448897
10    - https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe
11author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems)
12date: 2019/08/24
13modified: 2024/04/08
14tags:
15    - attack.defense_evasion
16    - attack.t1027.004
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_img:
22        Image|endswith: '\csc.exe'
23    selection_susp_location_1:
24        CommandLine|contains:
25            - ':\Perflogs\'
26            - ':\Users\Public\'
27            - '\AppData\Local\Temp\' # User execution
28            - '\Temporary Internet'
29            - '\Windows\Temp\' # Admin execution
30    selection_susp_location_2:
31        - CommandLine|contains|all:
32              - ':\Users\'
33              - '\Favorites\'
34        - CommandLine|contains|all:
35              - ':\Users\'
36              - '\Favourites\'
37        - CommandLine|contains|all:
38              - ':\Users\'
39              - '\Contacts\'
40        - CommandLine|contains|all:
41              - ':\Users\'
42              - '\Pictures\'
43    selection_susp_location_3:
44        CommandLine|re: '([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\([Ll]ocal(Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$'
45    filter_main_programfiles:
46        # Note: this is a generic filter. You could baseline execution in your env for a more robust rule
47        ParentImage|startswith:
48            - 'C:\Program Files (x86)\' # https://twitter.com/gN3mes1s/status/1206874118282448897
49            - 'C:\Program Files\' # https://twitter.com/gN3mes1s/status/1206874118282448897
50    filter_main_sdiagnhost:
51        ParentImage: 'C:\Windows\System32\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897
52    filter_main_w3p:
53        ParentImage: 'C:\Windows\System32\inetsrv\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962
54    filter_optional_chocolatey:
55        ParentImage: # Chocolatey https://chocolatey.org/
56            - 'C:\ProgramData\chocolatey\choco.exe'
57            - 'C:\ProgramData\chocolatey\tools\shimgen.exe'
58    filter_optional_defender:
59        ParentCommandLine|contains: '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection'
60    filter_optional_ansible:
61        # Note: As ansible is widely used we exclude it with this generic filter.
62        # A better option would be to filter based on script content basis or other marker while hunting
63        ParentCommandLine|contains:
64            # '{"failed":true,"msg":"Ansible requires PowerShell v3.0 or newer"}'
65            - 'JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw'
66            - 'cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA'
67            - 'nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA'
68    condition: selection_img and 1 of selection_susp_location_* and not 1 of filter_main_* and not 1 of filter_optional_*
69falsepositives:
70    - Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897
71    - Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962
72    - Ansible
73level: medium

References

Related rules

to-top