Use of FSharp Interpreters

calendar Aug 12, 2024 · attack.execution attack.t1059  ·
Share on: linkedin copy

Detects the execution of FSharp Interpreters "FsiAnyCpu.exe" and "FSi.exe" Both can be used for AWL bypass and to execute F# code via scripts or inline.

Sigma rule (View on GitHub)

 1title: Use of FSharp Interpreters
 2id: b96b2031-7c17-4473-afe7-a30ce714db29
 3status: test
 4description: |
 5    Detects the execution of FSharp Interpreters "FsiAnyCpu.exe" and "FSi.exe"
 6    Both can be used for AWL bypass and to execute F# code via scripts or inline.    
 7references:
 8    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac
 9    - https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
10    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/
11    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/
12author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io
13date: 2022-06-02
14modified: 2024-04-23
15tags:
16    - attack.execution
17    - attack.t1059
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        - Image|endswith:
24              - '\fsi.exe'
25              - '\fsianycpu.exe'
26        - OriginalFileName:
27              - 'fsi.exe'
28              - 'fsianycpu.exe'
29    condition: selection
30falsepositives:
31    - Legitimate use by a software developer.
32level: medium

References

Related rules

to-top