LoFP LoFP / legitimate microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962

Techniques

Sample rules

Dynamic .NET Compilation Via Csc.EXE

Description

Detects execution of “csc.exe” to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.

Detection logic

condition: selection_img and 1 of selection_susp_location_* and not 1 of filter_main_*
  and not 1 of filter_optional_*
filter_main_programfiles:
  ParentImage|startswith:
  - C:\Program Files (x86)\
  - C:\Program Files\
filter_main_sdiagnhost:
  ParentImage: C:\Windows\System32\sdiagnhost.exe
filter_main_w3p:
  ParentImage: C:\Windows\System32\inetsrv\w3wp.exe
filter_optional_ansible:
  ParentCommandLine|contains:
  - JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw
  - cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA
  - nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA
filter_optional_chocolatey:
  ParentImage:
  - C:\ProgramData\chocolatey\choco.exe
  - C:\ProgramData\chocolatey\tools\shimgen.exe
filter_optional_defender:
  ParentCommandLine|contains: \ProgramData\Microsoft\Windows Defender Advanced Threat
    Protection
selection_img:
  Image|endswith: \csc.exe
selection_susp_location_1:
  CommandLine|contains:
  - :\Perflogs\
  - :\Users\Public\
  - \AppData\Local\Temp\
  - \Temporary Internet
  - \Windows\Temp\
selection_susp_location_2:
- CommandLine|contains|all:
  - :\Users\
  - \Favorites\
- CommandLine|contains|all:
  - :\Users\
  - \Favourites\
- CommandLine|contains|all:
  - :\Users\
  - \Contacts\
- CommandLine|contains|all:
  - :\Users\
  - \Pictures\
selection_susp_location_3:
  CommandLine|re: ([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\([Ll]ocal([Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$