Suspicious Use of CSharp Interactive Console
Detects the execution of CSharp interactive console by PowerShell
Sigma rule (View on GitHub)
1title: Suspicious Use of CSharp Interactive Console
2id: a9e416a8-e613-4f8b-88b8-a7d1d1af2f61
3status: test
4description: Detects the execution of CSharp interactive console by PowerShell
5references:
6 - https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/
7author: Michael R. (@nahamike01)
8date: 2020-03-08
9modified: 2022-07-14
10tags:
11 - attack.execution
12 - attack.defense-evasion
13 - attack.t1127
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\csi.exe'
20 ParentImage|endswith:
21 - '\powershell.exe'
22 - '\pwsh.exe'
23 - '\powershell_ise.exe'
24 OriginalFileName: 'csi.exe'
25 condition: selection
26falsepositives:
27 - Possible depending on environment. Pair with other factors such as net connections, command-line args, etc.
28level: high
References
-
The .NET framework includes rich offensive capabilities that adversaries aren’t yet using, but we’ve been thinking about detection anyway.
Read More
Related rules
- Detection of PowerShell Execution via Sqlps.exe
- Potential Binary Proxy Execution Via Cdb.EXE
- SQL Client Tools PowerShell Session Detection
- Outlook EnableUnsafeClientMailRules Setting Enabled
- Potentially Suspicious Rundll32.EXE Execution of UDL File