{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/compile-after-delivery/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","compile-after-delivery","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers sometimes deliver malicious code in a non-executable format to bypass initial security checks. They then use legitimate .NET compilers like \u003ccode\u003ecsc.exe\u003c/code\u003e (C#) and \u003ccode\u003evbc.exe\u003c/code\u003e (VB.NET) to compile the code into an executable on the victim machine. This technique, known as \u0026ldquo;Compile After Delivery\u0026rdquo;, helps them evade traditional signature-based detections. This activity is often launched from scripting engines or system utilities, such as \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003ecmstp.exe\u003c/code\u003e, \u003ccode\u003eregsvr32.exe\u003c/code\u003e and others. The rule detects these unusual parent-child process relationships, providing an alert for potential post-delivery code compilation activity, and applies to Windows environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access via an unspecified method.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers obfuscated or encoded .NET source code to the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a scripting engine (e.g., \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e) or system utility (e.g., \u003ccode\u003ewmic.exe\u003c/code\u003e, \u003ccode\u003eregsvr32.exe\u003c/code\u003e, \u003ccode\u003ecmstp.exe\u003c/code\u003e) to execute a .NET compiler (\u003ccode\u003ecsc.exe\u003c/code\u003e or \u003ccode\u003evbc.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe scripting engine or system utility passes the delivered .NET source code as an argument to the compiler.\u003c/li\u003e\n\u003cli\u003eThe .NET compiler compiles the source code into a binary executable.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the compiled binary.\u003c/li\u003e\n\u003cli\u003eThe compiled binary performs malicious actions, such as establishing persistence, lateral movement, or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on the target system, bypassing security measures that rely on pre-execution scanning. This can lead to a range of malicious activities, including data theft, system compromise, and deployment of ransomware. Detecting and preventing this technique is crucial for maintaining the integrity and confidentiality of systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging via Windows Security Event Logs or Sysmon (Event ID 1) to capture process execution data needed for the detection rule.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious .NET Code Compilation\u0026rdquo; to your SIEM to detect instances of .NET compilers being executed by unusual parent processes.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent unauthorized execution of compilers and scripting engines by non-standard parent processes, as described in the rule\u0026rsquo;s documentation.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for the parent processes listed in the Sigma rule\u0026rsquo;s detection criteria (e.g., \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003ecmstp.exe\u003c/code\u003e, \u003ccode\u003eregsvr32.exe\u003c/code\u003e) for unusual command-line arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-suspicious-dotnet-compilation/","summary":"Adversaries may use unusual parent processes to execute .NET compilers for compiling malicious code after delivery, evading security mechanisms, and this activity is detected by monitoring compiler executions initiated by scripting engines or system utilities.","title":"Suspicious .NET Code Compilation via Unusual Parent Processes","url":"https://feed.craftedsignal.io/briefs/2024-01-02-suspicious-dotnet-compilation/"}],"language":"en","title":"CraftedSignal Threat Feed — Compile-After-Delivery","version":"https://jsonfeed.org/version/1.1"}