Detectionlowtest

Dynamic CSharp Compile Artefact

When C# is compiled dynamically, a .cmdline file will be created as a part of the process. Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Sun Jan 09Updated Fri Feb 17e4a74e34-ecde-4aab-b2fb-9112dd01aed0windows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetFilename|endswith: '.cmdline'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1027.004 · Compile After Delivery

Rule Metadata

Rule ID

e4a74e34-ecde-4aab-b2fb-9112dd01aed0

Status

test

Level

low

Type

Detection

Created

Sun Jan 09

Modified

Fri Feb 17

Author

François Hubaut

Path

rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml

Raw Tags

attack.defense-evasionattack.t1027.004

View on GitHub