← Back to SOC feed Coverage →

Dynamic .NET Compilation Via Csc.EXE

sigma MEDIUM SigmaHQ
T1027.004
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-07T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects execution of “csc.exe” to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.

Detection Rule

Sigma (Original)

title: Dynamic .NET Compilation Via Csc.EXE
id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
status: test
description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
references:
    - https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/
    - https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
    - https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/
    - https://twitter.com/gN3mes1s/status/1206874118282448897
    - https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe
author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems)
date: 2019-08-24
modified: 2026-03-23
tags:
    - attack.stealth
    - attack.t1027.004
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\csc.exe'
    selection_susp_location_1:
        CommandLine|contains:
            - ':\Perflogs\'
            - ':\Users\Public\'
            - '\AppData\Local\Temp\' # User execution
            - '\Temporary Internet'
            - '\Windows\Temp\' # Admin execution
    selection_susp_location_2:
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Contacts\'
        - CommandLine|contains|all:
              - ':\Users\'
              - '\Pictures\'
    selection_susp_location_3:
        CommandLine|re: '(?:[Pp]rogram[Dd]ata|%(?:[Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\(?:[Ll]ocal(?:[Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$'
    filter_main_programfiles:
        # Note: this is a generic filter. You could baseline execution in your env for a more robust rule
        ParentImage|startswith:
            - 'C:\Program Files (x86)\' # https://twitter.com/gN3mes1s/status/1206874118282448897
            - 'C:\Program Files\' # https://twitter.com/gN3mes1s/status/1206874118282448897
    filter_main_sdiagnhost:
        ParentImage: 'C:\Windows\System32\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897
    filter_main_w3p:
        ParentImage: 'C:\Windows\System32\inetsrv\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962
    filter_optional_chocolatey:
        ParentImage: # Chocolatey https://chocolatey.org/
            - 'C:\ProgramData\chocolatey\choco.exe'
            - 'C:\ProgramData\chocolatey\tools\shimgen.exe'
    filter_optional_defender:
        ParentCommandLine|contains: '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection'
    filter_optional_ansible:
        # Note: As ansible is widely used we exclude it with this generic filter.
        # A better option would be to filter based on script content basis or other marker while hunting
        ParentCommandLine|contains:
            # '{"failed":true,"msg":"Ansible requires PowerShell v3.0 or newer"}'
            - 'JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw'
            - 'cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA'
            - 'nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA'
    condition: selection_img and 1 of selection_susp_location_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897
    - Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962
    - Ansible
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessName endswith "\\csc.exe" and ((TargetProcessCommandLine contains ":\\Perflogs\\" or TargetProcessCommandLine contains ":\\Users\\Public\\" or TargetProcessCommandLine contains "\\AppData\\Local\\Temp\\" or TargetProcessCommandLine contains "\\Temporary Internet" or TargetProcessCommandLine contains "\\Windows\\Temp\\") or ((TargetProcessCommandLine contains ":\\Users\\" and TargetProcessCommandLine contains "\\Favorites\\") or (TargetProcessCommandLine contains ":\\Users\\" and TargetProcessCommandLine contains "\\Favourites\\") or (TargetProcessCommandLine contains ":\\Users\\" and TargetProcessCommandLine contains "\\Contacts\\") or (TargetProcessCommandLine contains ":\\Users\\" and TargetProcessCommandLine contains "\\Pictures\\")) or TargetProcessCommandLine matches regex "(?:[Pp]rogram[Dd]ata|%(?:[Ll]ocal)?[Aa]pp[Dd]ata%|\\\\[Aa]pp[Dd]ata\\\\(?:[Ll]ocal(?:[Ll]ow)?|[Rr]oaming))\\\\[^\\\\]{1,256}$") and (not((((ParentProcessName startswith "C:\\Program Files (x86)\\" or ParentProcessName startswith "C:\\Program Files\\") or (ActingProcessName startswith "C:\\Program Files (x86)\\" or ActingProcessName startswith "C:\\Program Files\\")) or (ParentProcessName =~ "C:\\Windows\\System32\\sdiagnhost.exe" or ActingProcessName =~ "C:\\Windows\\System32\\sdiagnhost.exe") or (ParentProcessName =~ "C:\\Windows\\System32\\inetsrv\\w3wp.exe" or ActingProcessName =~ "C:\\Windows\\System32\\inetsrv\\w3wp.exe")))) and (not((((ParentProcessName in~ ("C:\\ProgramData\\chocolatey\\choco.exe", "C:\\ProgramData\\chocolatey\\tools\\shimgen.exe")) or (ActingProcessName in~ ("C:\\ProgramData\\chocolatey\\choco.exe", "C:\\ProgramData\\chocolatey\\tools\\shimgen.exe"))) or ActingProcessCommandLine contains "\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection" or (ActingProcessCommandLine contains "JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw" or ActingProcessCommandLine contains "cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA" or ActingProcessCommandLine contains "nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA"))))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml