Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
Execute C# code located in the consoleapp folder
When C# is compiled dynamically, a .cmdline file will be created as a part of the process.
Certain processes are not typically observed compiling C# code, but can do so without touching disk.
This can be used to unpack a payload for execution
Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.