detection.wiki

Detection rules › Sigma

Dynamic .NET Compilation Via Csc.EXE

Severity
medium
Author
Florian Roth (Nextron Systems), X__Junior (Nextron Systems)
Source
upstream

Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1027.004 Obfuscated Files or Information: Compile After Delivery

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: selection_img

Image|endswith: '\csc.exe'

Stage 2: 1 of selection_susp_location_1

or:
CommandLine|contains: ':\Perflogs\'
CommandLine|contains: ':\Users\Public\'
CommandLine|contains: '\AppData\Local\Temp\'
CommandLine|contains: '\Temporary Internet'
CommandLine|contains: '\Windows\Temp\'

Stage 3: 1 of selection_susp_location_2

or:
CommandLine|contains: ':\Users\'
CommandLine|contains: '\Contacts\'
CommandLine|contains: ':\Users\'
CommandLine|contains: '\Favorites\'
CommandLine|contains: ':\Users\'
CommandLine|contains: '\Favourites\'
CommandLine|contains: ':\Users\'
CommandLine|contains: '\Pictures\'

Stage 4: 1 of selection_susp_location_3

CommandLine|re: '([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\([Ll]ocal([Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$'

Stage 5: not 1 of filter_main_*

or:
ParentImage: 'C:\Windows\System32\inetsrv\w3wp.exe'
ParentImage: 'C:\Windows\System32\sdiagnhost.exe'
ParentImage|startswith: 'C:\Program Files (x86)\'
ParentImage|startswith: 'C:\Program Files\'

Stage 6: not 1 of filter_optional_*

or:
ParentCommandLine|contains: 'JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw'
ParentCommandLine|contains: '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection'
ParentCommandLine|contains: 'cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA'
ParentCommandLine|contains: 'nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA'
ParentImage: 'C:\ProgramData\chocolatey\choco.exe'
ParentImage: 'C:\ProgramData\chocolatey\tools\shimgen.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • :\Perflogs\ corpus 4 (sigma 4)
  • :\Users\ corpus 6 (sigma 6)
  • :\Users\Public\ corpus 14 (sigma 14)
  • \AppData\Local\Temp\ corpus 16 (sigma 16)
  • \Contacts\ corpus 6 (sigma 6)
  • \Favorites\ corpus 6 (sigma 6)
  • \Favourites\ corpus 6 (sigma 6)
  • \Pictures\ corpus 3 (sigma 3)
  • \Temporary Internet corpus 6 (sigma 6)
  • \Windows\Temp\ corpus 10 (sigma 10)
CommandLineregex_match
  • ([Pp]rogram[Dd]ata|%([Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\([Ll]ocal([Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$
Imageends_with
  • \csc.exe corpus 5 (sigma 5)
ParentCommandLinematch
  • JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw corpus 2 (sigma 2)
  • \ProgramData\Microsoft\Windows Defender Advanced Threat Protection corpus 2 (sigma 2)
  • cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA corpus 2 (sigma 2)
  • nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA corpus 2 (sigma 2)
ParentImageeq
  • C:\ProgramData\chocolatey\choco.exe corpus 2 (sigma 2)
  • C:\ProgramData\chocolatey\tools\shimgen.exe
  • C:\Windows\System32\inetsrv\w3wp.exe corpus 2 (sigma 2)
  • C:\Windows\System32\sdiagnhost.exe corpus 2 (sigma 2)
ParentImagestarts_with
  • C:\Program Files (x86)\ corpus 2 (sigma 2)
  • C:\Program Files\ corpus 2 (sigma 2)