/
csc_net_on_the_fly_compilation.yml
76 lines (76 loc) · 3.38 KB
/
csc_net_on_the_fly_compilation.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
name: CSC Net On The Fly Compilation
id: ea73128a-43ab-11ec-9753-acde48001122
version: 1
date: '2021-11-12'
author: Teoderick Contreras, Splunk
status: production
type: Hunting
description: this analytic is to detect a suspicious compile before delivery approach
of .net compiler csc.exe. This technique was seen in several adversaries, malware
and even in red teams to take advantage the csc.exe .net compiler tool to compile
on the fly a malicious .net code to evade detection from security product. This
is a good hunting query to check further the file or process created after this
event and check the file path that passed to csc.exe which is the .net code. Aside
from that, powershell is capable of using this compiler in executing .net code in
a powershell script so filter on that case is needed.
data_source:
- Sysmon EventID 1
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where `process_csc` Processes.process
= "*/noconfig*" Processes.process = "*/fullpaths*" Processes.process = "*@*" by
Processes.dest Processes.user Processes.parent_process_name Processes.parent_process
Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
| `csc_net_on_the_fly_compilation_filter`'
how_to_implement: The detection is based on data that originates from Endpoint Detection
and Response (EDR) agents. These agents are designed to provide security-related
telemetry from the endpoints where the agent is installed. To implement this search,
you must ingest logs that contain the process GUID, process name, and parent process.
Additionally, you must ingest complete command-line executions. These logs must
be processed using the appropriate Splunk Technology Add-ons that are specific to
the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
data model. Use the Splunk Common Information Model (CIM) to normalize the field
names and speed up the data modeling process.
known_false_positives: A network operator or systems administrator may utilize an
automated powershell script taht execute .net code that may generate false positive.
filter is needed.
references:
- https://app.any.run/tasks/ad4c3cda-41f2-4401-8dba-56cc2d245488/
- https://tccontre.blogspot.com/2019/06/maicious-macro-that-compile-c-code-as.html
tags:
analytic_story:
- Windows Defense Evasion Tactics
asset_type: Endpoint
confidence: 50
impact: 50
message: csc.exe with commandline $process$ to compile .net code on $dest$ by $user$
mitre_attack_id:
- T1027.004
- T1027
observable:
- name: dest
type: Endpoint
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Processes.dest
- Processes.user
- Processes.parent_process_name
- Processes.parent_process
- Processes.process_name
- Processes.process
- Processes.process_id
- Processes.parent_process_id
risk_score: 25
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/vilsel/sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog