Suspicious Use of CSharp Interactive Console
Detects the execution of CSharp interactive console by PowerShell
Sigma rule (View on GitHub)
1title: Suspicious Use of CSharp Interactive Console
2id: a9e416a8-e613-4f8b-88b8-a7d1d1af2f61
3status: test
4description: Detects the execution of CSharp interactive console by PowerShell
5references:
6 - https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/
7author: Michael R. (@nahamike01)
8date: 2020/03/08
9modified: 2022/07/14
10tags:
11 - attack.execution
12 - attack.t1127
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\csi.exe'
19 ParentImage|endswith:
20 - '\powershell.exe'
21 - '\pwsh.exe'
22 - '\powershell_ise.exe'
23 OriginalFileName: 'csi.exe'
24 condition: selection
25falsepositives:
26 - Possible depending on environment. Pair with other factors such as net connections, command-line args, etc.
27level: high
References
-
The .NET framework includes rich offensive capabilities that adversaries aren’t yet using, but we’ve been thinking about detection anyway.
Read More
Related rules
- Detection of PowerShell Execution via Sqlps.exe
- SQL Client Tools PowerShell Session Detection
- Microsoft Workflow Compiler Execution
- WinDbg/CDB LOLBIN Usage
- Invoke-Obfuscation Obfuscated IEX Invocation