Techniques
Sample rules
Dynamic .NET Compilation Via Csc.EXE
- source: sigma
- technicques:
- t1027
- t1027.004
Description
Detects execution of “csc.exe” to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
Detection logic
condition: selection_img and 1 of selection_susp_location_* and not 1 of filter_main_*
and not 1 of filter_optional_*
filter_main_programfiles:
ParentImage|startswith:
- C:\Program Files (x86)\
- C:\Program Files\
filter_main_sdiagnhost:
ParentImage: C:\Windows\System32\sdiagnhost.exe
filter_main_w3p:
ParentImage: C:\Windows\System32\inetsrv\w3wp.exe
filter_optional_ansible:
ParentCommandLine|contains:
- JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw
- cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA
- nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA
filter_optional_chocolatey:
ParentImage:
- C:\ProgramData\chocolatey\choco.exe
- C:\ProgramData\chocolatey\tools\shimgen.exe
filter_optional_defender:
ParentCommandLine|contains: \ProgramData\Microsoft\Windows Defender Advanced Threat
Protection
selection_img:
Image|endswith: \csc.exe
selection_susp_location_1:
CommandLine|contains:
- :\Perflogs\
- :\Users\Public\
- \AppData\Local\Temp\
- \Temporary Internet
- \Windows\Temp\
selection_susp_location_2:
- CommandLine|contains|all:
- :\Users\
- \Favorites\
- CommandLine|contains|all:
- :\Users\
- \Favourites\
- CommandLine|contains|all:
- :\Users\
- \Contacts\
- CommandLine|contains|all:
- :\Users\
- \Pictures\
selection_susp_location_3:
CommandLine|re: ([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\([Ll]ocal([Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$