Suspicious Csi.exe Usage

calendar Oct 23, 2025 · attack.lateral-movement attack.execution attack.t1072 attack.defense-evasion attack.t1218  ·
Share on: linkedin copy

Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'

Sigma rule (View on GitHub)

 1title: Suspicious Csi.exe Usage
 2id: 40b95d31-1afc-469e-8d34-9a3a667d058e
 3status: test
 4description: Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'
 5references:
 6    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/
 7    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/
 8    - https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/
 9    - https://twitter.com/Z3Jpa29z/status/1317545798981324801
10author: Konstantin Grishchenko, oscd.community
11date: 2020-10-17
12modified: 2022-07-11
13tags:
14    - attack.lateral-movement
15    - attack.execution
16    - attack.t1072
17    - attack.defense-evasion
18    - attack.t1218
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_img:
24        - Image|endswith:
25              - '\csi.exe'
26              - '\rcsi.exe'
27        - OriginalFileName:
28              - 'csi.exe'
29              - 'rcsi.exe'
30    selection_cli:
31        Company: 'Microsoft Corporation'
32    condition: all of selection*
33fields:
34    - ComputerName
35    - User
36    - CommandLine
37    - ParentCommandLine
38falsepositives:
39    - Legitimate usage by software developers
40level: medium

References

  • Csi on LOLBAS

    csi.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.


    Read More

  • Rcsi on LOLBAS

    rcsi.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.


    Read More

  • Bypassing Application Whitelisting By Using rcsi.exe

    Over the past few weeks, I have had the pleasure to work side-by-side with Matt Graeber (@mattifestation) and Casey Smith (@subtee) researching Device Guard user mode code integrity (UMCI) bypasses…


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.


    Read More

Related rules

to-top