Assembly DLL Creation Via AspNetCompiler
Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events for file system activity including creation, modification, and deletion.
detection:
selection:
Image|endswith: '\aspnet_compiler.exe'
TargetFilename|contains|all:
- '\Temporary ASP.NET Files\'
- '\assembly\tmp\'
- '.dll'
condition: selectionLegitimate assembly compilation using a build provider
Tactics
Suspicious Child Process of AspNetCompiler
Detects potentially suspicious child processes of "aspnet_compiler.exe".
Detects similar activity. Both rules may fire on overlapping events.
Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation.
Detects similar activity. Both rules may fire on overlapping events.
AspNetCompiler Execution
Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.
Detects similar activity. Both rules may fire on overlapping events.