Threat Huntmediumtest

Dynamic .NET Compilation Via Csc.EXE - Hunting

Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Wed Aug 02acf2807c-805b-4042-aab9-f86b6ba9cb2bwindows

Hunting Hypothesis

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Image|endswith: '\csc.exe'
        CommandLine|contains: '/noconfig /fullpaths @'
    condition: selection

False Positives

Many legitimate applications make use of dynamic compilation. Use this rule to hunt for anomalies

References

Resolving title…

securityboulevard.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1027.004 · Compile After Delivery

Other

detection.threat-hunting

Related Rules

DerivedDetectionmedium

Dynamic .NET Compilation Via Csc.EXE

Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata

Rule ID

acf2807c-805b-4042-aab9-f86b6ba9cb2b

Status

test

Level

medium

Type

Threat Hunt

Created

Wed Aug 02

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml

Raw Tags

attack.defense-evasionattack.t1027.004detection.threat-hunting

View on GitHub