Suspicious .NET Code Compilation via Unusual Parent Processes

Attackers sometimes deliver malicious code in a non-executable format to bypass initial security checks. They then use legitimate .NET compilers like csc.exe (C#) and vbc.exe (VB.NET) to compile the code into an executable on the victim machine. This technique, known as “Compile After Delivery”, helps them evade traditional signature-based detections. This activity is often launched from scripting engines or system utilities, such as wscript.exe, mshta.exe, cmstp.exe, regsvr32.exe and others. The rule detects these unusual parent-child process relationships, providing an alert for potential post-delivery code compilation activity, and applies to Windows environments.

Attack Chain

1. An attacker gains initial access via an unspecified method.
2. The attacker delivers obfuscated or encoded .NET source code to the target system.
3. The attacker uses a scripting engine (e.g., wscript.exe, mshta.exe, cscript.exe) or system utility (e.g., wmic.exe, regsvr32.exe, cmstp.exe) to execute a .NET compiler (csc.exe or vbc.exe).
4. The scripting engine or system utility passes the delivered .NET source code as an argument to the compiler.
5. The .NET compiler compiles the source code into a binary executable.
6. The attacker executes the compiled binary.
7. The compiled binary performs malicious actions, such as establishing persistence, lateral movement, or data exfiltration.

Impact

Successful exploitation allows attackers to execute arbitrary code on the target system, bypassing security measures that rely on pre-execution scanning. This can lead to a range of malicious activities, including data theft, system compromise, and deployment of ransomware. Detecting and preventing this technique is crucial for maintaining the integrity and confidentiality of systems.

Recommendation

• Enable process creation logging via Windows Security Event Logs or Sysmon (Event ID 1) to capture process execution data needed for the detection rule.
• Deploy the Sigma rule “Suspicious .NET Code Compilation” to your SIEM to detect instances of .NET compilers being executed by unusual parent processes.
• Implement application whitelisting to prevent unauthorized execution of compilers and scripting engines by non-standard parent processes, as described in the rule’s documentation.
• Monitor process execution for the parent processes listed in the Sigma rule’s detection criteria (e.g., wscript.exe, mshta.exe, cmstp.exe, regsvr32.exe) for unusual command-line arguments.