Use of FSharp Interpreters
Detects the execution of FSharp Interpreters "FsiAnyCpu.exe" and "FSi.exe" Both can be used for AWL bypass and to execute F# code via scripts or inline.
Sigma rule (View on GitHub)
1title: Use of FSharp Interpreters
2id: b96b2031-7c17-4473-afe7-a30ce714db29
3status: test
4description: |
5 Detects the execution of FSharp Interpreters "FsiAnyCpu.exe" and "FSi.exe"
6 Both can be used for AWL bypass and to execute F# code via scripts or inline.
7references:
8 - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
9 - https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/
10 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/
11 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/
12author: Christopher Peacock @SecurePeacock, SCYTHE @scythe_io
13date: 2022/06/02
14modified: 2024/04/23
15tags:
16 - attack.execution
17 - attack.t1059
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 - Image|endswith:
24 - '\fsi.exe'
25 - '\fsianycpu.exe'
26 - OriginalFileName:
27 - 'fsi.exe'
28 - 'fsianycpu.exe'
29 condition: selection
30falsepositives:
31 - Legitimate use by a software developer.
32level: medium
References
Related rules
- Potential Arbitrary Command Execution Via FTP.EXE
- Wscript Shell Run In CommandLine
- Bypassing Security Controls - Command Shell
- In-memory Downloading and Compiling of Applets as Payloads
- Mac AppleScript Input Prompt