Techniques
Sample rules
Assembly DLL Creation Via AspNetCompiler
- source: sigma
- technicques:
Description
Detects the creation of new DLL assembly files by “aspnet_compiler.exe”, which could be a sign of “aspnet_compiler” abuse to proxy execution through a build provider.
Detection logic
condition: selection
selection:
Image|endswith: \aspnet_compiler.exe
TargetFilename|contains|all:
- \Temporary ASP.NET Files\
- \assembly\tmp\
- .dll