legitimate usage by software developers

t1072
t1218
windows
sigma

Techniques

t1072
t1218

Sample rules

Suspicious Csi.exe Usage

source: sigma
technicques:
- t1072
- t1218

Description

Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named ‘rcsi.exe’

Detection logic

condition: all of selection*
selection_cli:
  Company: Microsoft Corporation
selection_img:
- Image|endswith:
  - \csi.exe
  - \rcsi.exe
- OriginalFileName:
  - csi.exe
  - rcsi.exe