{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/csc.exe/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[".NET Framework"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","dynamic-compilation","csc.exe"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers often utilize the .NET Framework\u0026rsquo;s command-line compiler, \u003ccode\u003ecsc.exe\u003c/code\u003e, to compile malicious code dynamically on compromised systems. This tactic allows them to evade traditional signature-based detections and execute code in memory. The compilation often occurs from unusual or temporary directories such as \u003ccode\u003e\\Perflogs\\\u003c/code\u003e, \u003ccode\u003e\\Users\\Public\\\u003c/code\u003e, or within the \u003ccode\u003eAppData\u003c/code\u003e directory. This technique has been observed in campaigns involving malware such as Agent Tesla and by actors like MuddyWater. Detection focuses on identifying \u003ccode\u003ecsc.exe\u003c/code\u003e executions originating from or utilizing paths indicative of suspicious activity outside of normal software development workflows.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the system through an exploit or social engineering.\u003c/li\u003e\n\u003cli\u003ePayload Delivery: A malicious payload containing .NET source code is delivered to the system, often dropped in a temporary directory or a user\u0026rsquo;s profile directory.\u003c/li\u003e\n\u003cli\u003eCommand Execution: The attacker uses a command-line interface (cmd.exe or powershell.exe) to execute \u003ccode\u003ecsc.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDynamic Compilation: \u003ccode\u003ecsc.exe\u003c/code\u003e compiles the .NET source code into an executable or DLL file.\u003c/li\u003e\n\u003cli\u003eFile Creation: The compiled assembly is written to disk in a specified location.\u003c/li\u003e\n\u003cli\u003eCode Injection/Execution: The compiled assembly is loaded into memory and executed, often using techniques like reflective DLL injection.\u003c/li\u003e\n\u003cli\u003ePersistence (Optional): The attacker may establish persistence by creating a scheduled task or modifying registry keys to recompile and execute the malicious code on system startup.\u003c/li\u003e\n\u003cli\u003eAchieve Objectives: The attacker achieves their objectives, such as data exfiltration, lateral movement, or establishing a command and control channel.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to perform a wide range of malicious activities. This can result in data theft, system compromise, and the deployment of ransomware. While the number of victims and sectors targeted varies depending on the specific campaign, dynamic compilation techniques significantly increase the difficulty of detection and response, making systems vulnerable to persistent and stealthy attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect suspicious executions of \u003ccode\u003ecsc.exe\u003c/code\u003e from unusual locations (process_creation logs).\u003c/li\u003e\n\u003cli\u003eTune the Sigma rules for your environment to reduce false positives, considering legitimate uses of \u003ccode\u003ecsc.exe\u003c/code\u003e by developers (Sigma rules).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ecsc.exe\u003c/code\u003e with command-line arguments containing suspicious directory locations like \u003ccode\u003e\\Perflogs\\\u003c/code\u003e, \u003ccode\u003e\\Users\\Public\\\u003c/code\u003e, \u003ccode\u003e\\AppData\\Local\\Temp\\\u003c/code\u003e (process_creation logs).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where \u003ccode\u003ecsc.exe\u003c/code\u003e is executed by processes other than legitimate software development tools, filtering out known good parent processes like \u003ccode\u003esdiagnhost.exe\u003c/code\u003e or \u003ccode\u003ew3wp.exe\u003c/code\u003e (process_creation logs).\u003c/li\u003e\n\u003cli\u003eConsider blocking execution of \u003ccode\u003ecsc.exe\u003c/code\u003e from user-writable directories if it is not a legitimate use case in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-dynamic-net-compilation/","summary":"Attackers may use csc.exe to compile .NET code on the fly to evade detection, often placing the compiler and source code in suspicious locations, which can be detected by monitoring process creation events.","title":"Suspicious Dynamic .NET Compilation via Csc.exe","url":"https://feed.craftedsignal.io/briefs/2024-01-dynamic-net-compilation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["attack.execution","attack.defense-evasion","csc.exe","payload-delivery"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are leveraging the legitimate Csc.exe (C# compiler) to execute malicious code, often as a part of defense evasion or payload delivery. This is achieved by spawning Csc.exe from unusual parent processes such as scripting hosts (cscript.exe, wscript.exe), Office applications (excel.exe, winword.exe), or PowerShell, especially when combined with encoded commands. Observed techniques also include launching Csc.exe from temporary or unusual directories. This activity bypasses traditional application whitelisting and can lead to the execution of arbitrary code. This activity has been associated with WarzoneRAT, DarkVNC, and the delivery of IMAPLoader malware.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access, potentially through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eA script or Office macro executes, initiating a command-line process.\u003c/li\u003e\n\u003cli\u003eThis process then invokes a scripting host (e.g., cscript.exe) or PowerShell.\u003c/li\u003e\n\u003cli\u003eThe scripting host or PowerShell executes a command that downloads or creates a C# source code file.\u003c/li\u003e\n\u003cli\u003eCsc.exe is then invoked, often from a temporary directory, to compile the downloaded/created C# code.\u003c/li\u003e\n\u003cli\u003eThe compiled C# code executes, performing malicious actions.\u003c/li\u003e\n\u003cli\u003eThe malicious code may establish persistence, communicate with a C2 server, or perform data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe final objective might be to deploy ransomware, steal sensitive data, or establish a persistent backdoor.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to compromise systems, steal data, or deploy malware. Depending on the user\u0026rsquo;s permissions, the attacker could gain elevated privileges. The observed techniques have been associated with ransomware deployment, data theft, and remote access trojans (RATs).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Csc.EXE Execution Form Potentially Suspicious Parent\u0026rdquo; to detect suspicious parent processes of csc.exe.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for csc.exe with parent processes like scripting hosts or Office applications.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of csc.exe being executed from temporary directories or user profile locations by reviewing process_creation logs.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture detailed process information, including parent-child relationships, for effective detection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:00:00Z","date_published":"2024-01-02T15:00:00Z","id":"/briefs/2024-01-02-csc-suspicious-parent/","summary":"The Csc.exe (C# compiler) process is being launched by unusual parent processes or from suspicious locations, indicating potential malware execution or defense evasion.","title":"Suspicious CSC.exe Parent Process","url":"https://feed.craftedsignal.io/briefs/2024-01-02-csc-suspicious-parent/"}],"language":"en","title":"CraftedSignal Threat Feed — Csc.exe","version":"https://jsonfeed.org/version/1.1"}