Detectionmediumtest
Suspicious Csi.exe Usage
Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Konstantin Grishchenko, oscd.communityCreated Sat Oct 17Updated Mon Jul 1140b95d31-1afc-469e-8d34-9a3a667d058ewindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection_img:
- Image|endswith:
- '\csi.exe'
- '\rcsi.exe'
- OriginalFileName:
- 'csi.exe'
- 'rcsi.exe'
selection_cli:
Company: 'Microsoft Corporation'
condition: all of selection*False Positives
Legitimate usage by software developers
MITRE ATT&CK
Rule Metadata
Rule ID
40b95d31-1afc-469e-8d34-9a3a667d058e
Status
test
Level
medium
Type
Detection
Created
Sat Oct 17
Modified
Mon Jul 11
Path
rules/windows/process_creation/proc_creation_win_csi_execution.yml
Raw Tags
attack.lateral-movementattack.executionattack.t1072attack.defense-evasionattack.t1218