Assembly DLL Creation Via AspNetCompiler

Severity: medium
Author: Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.

Event coverage

Provider	Event ID	Title
Sysmon	11	FileCreate

Stages and Predicates

Stage 1: `selection`

Image|endswith: '\aspnet_compiler.exe'
TargetFilename|contains: .dll
TargetFilename|contains: '\Temporary ASP.NET Files\'
TargetFilename|contains: '\assembly\tmp\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Image`	ends_with	`\aspnet_compiler.exe` corpus 3 (sigma 3)
`TargetFilename`	match	`.dll` `\Temporary ASP.NET Files\` `\assembly\tmp\`

Assembly DLL Creation Via AspNetCompiler

Event coverage

Stages and Predicates

Stage 1: selection

Indicators

Stage 1: `selection`