The hypothesis is that an adversary is using the AspNetCompiler tool to generate malicious DLL files as part of a code injection or persistence strategy. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential code execution or lateral movement tactics that evade traditional detection methods.
Detection Rule
title: Assembly DLL Creation Via AspNetCompiler
id: 4c7f49ee-2638-43bb-b85b-ce676c30b260 # TMP File
related:
- id: 9ccba514-7cb6-4c5c-b377-700758f2f120 # SuspChild
type: similar
- id: 9f50fe98-fe5c-4a2d-86c7-fad7f63ed622 # Susp Paths
type: similar
- id: a01b8329-5953-4f73-ae2d-aa01e1f35f00 # Exec
type: similar
status: test
description: |
Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-14
tags:
- attack.execution
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\aspnet_compiler.exe'
TargetFilename|contains|all:
- '\Temporary ASP.NET Files\'
- '\assembly\tmp\'
- '.dll'
condition: selection
falsepositives:
- Legitimate assembly compilation using a build provider
level: medium
imFileEvent
| where TargetFilePath endswith "\\aspnet_compiler.exe" and (TargetFileName contains "\\Temporary ASP.NET Files\\" and TargetFileName contains "\\assembly\\tmp\\" and TargetFileName contains ".dll")Scenario: Scheduled Website Deployment via Visual Studio
Description: A scheduled job runs AspNetCompiler as part of a CI/CD pipeline to precompile a web application, generating .dll files in the output directory.
Filter/Exclusion: Check for the presence of a web.config file or a deployment script in the same directory, or filter by the presence of a publish folder in the path.
Scenario: Admin Task to Precompile a Web Application
Description: An administrator manually runs AspNetCompiler to precompile a web application for performance optimization, creating new .dll files.
Filter/Exclusion: Include a filter for the user account or process name associated with the admin task, or check for the presence of a web.config file indicating a web application context.
Scenario: Legacy Application Maintenance via PowerShell
Description: A PowerShell script is used to maintain a legacy ASP.NET application by rebuilding assemblies using AspNetCompiler, which may create new .dll files.
Filter/Exclusion: Filter by the presence of a .ps1 script file in the same directory, or check for a maintenance folder or specific command-line arguments used in the script.
Scenario: Third-Party Tool for Web Application Packaging
Description: A third-party tool like Web Deploy or MSBuild uses AspNetCompiler internally to package a web application, resulting in the creation of .dll files.
Filter/Exclusion: Check for the presence of a webdeploy or msbuild related file in the path, or filter by the process name of the third-party tool.
Scenario: Development Environment Artifact Generation
Description: In a development environment, a developer uses AspNetCompiler to generate artifacts for testing, which may result in the creation of new `.