C# IL Code Compilation Via Ilasm.EXE

 1title: C# IL Code Compilation Via Ilasm.EXE
 2id: 850d55f9-6eeb-4492-ad69-a72338f65ba4
 3status: test
 4description: Detects the use of "Ilasm.EXE" in order to compile C# intermediate (IL) code to EXE or DLL.
 5references:
 6    - https://lolbas-project.github.io/lolbas/Binaries/Ilasm/
 7    - https://www.echotrail.io/insights/search/ilasm.exe
 8author: frack113, Nasreddine Bencherchali (Nextron Systems)
 9date: 2022/05/07
10modified: 2022/05/16
11tags:
12    - attack.defense_evasion
13    - attack.t1127
14logsource:
15    product: windows
16    category: process_creation
17detection:
18    selection_img:
19        - Image|endswith: '\ilasm.exe'
20        - OriginalFileName: 'ilasm.exe'
21    selection_cli:
22        CommandLine|contains:
23            - ' /dll'
24            - ' /exe'
25    condition: all of selection_*
26falsepositives:
27    - Unknown
28level: medium

References

• Ilasm | LOLBAS

  Binary file used by .NET to compile C#/intermediate (IL) code to .exe ilasm.exe C:\public\test.txt /exe Use caseCompile attacker code on system. Bypass defensive counter measures. Privileges requir...

  
  Read More

• EchoTrail

  

  Endpoint log security platform.

  
  Read More

Related rules

• JScript Compiler Execution
• Potential Binary Proxy Execution Via Cdb.EXE
• Potential Arbitrary Code Execution Via Node.EXE
• Suspicious Child Process of AspNetCompiler
• Kavremover Dropped Binary LOLBIN Usage