Suspicious Child Process of AspNetCompiler
Detects potentially suspicious child processes of "aspnet_compiler.exe".
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection_parent:
ParentImage|endswith: '\aspnet_compiler.exe'
selection_child:
# Note: add other potential suspicious child processes and paths
- Image|endswith:
- '\calc.exe'
- '\notepad.exe'
- Image|contains:
- '\Users\Public\'
- '\AppData\Local\Temp\'
- '\AppData\Local\Roaming\'
- ':\Temp\'
- ':\Windows\Temp\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
condition: all of selection_*False positive likelihood has not been assessed. Additional context may be needed during triage.
Assembly DLL Creation Via AspNetCompiler
Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.
Detects similar activity. Both rules may fire on overlapping events.
Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation.
Detects similar activity. Both rules may fire on overlapping events.
AspNetCompiler Execution
Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.
Detects similar activity. Both rules may fire on overlapping events.