The Dynamic CSharp Compile Artefact rule detects adversaries dynamically compiling C# code to execute malicious payloads without writing to disk, leveraging the creation of temporary .cmdline files as part of the process. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential in-memory execution and evasion tactics that bypass traditional file-based detection mechanisms.
Detection Rule
title: Dynamic CSharp Compile Artefact
id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
status: test
description: |
When C# is compiled dynamically, a .cmdline file will be created as a part of the process.
Certain processes are not typically observed compiling C# code, but can do so without touching disk.
This can be used to unpack a payload for execution
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile
author: frack113
date: 2022-01-09
modified: 2023-02-17
tags:
- attack.defense-evasion
- attack.t1027.004
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '.cmdline'
condition: selection
falsepositives:
- Unknown
level: low
imFileEvent
| where TargetFileName endswith ".cmdline"Scenario: Development Environment with Roslyn Compiler
Description: A developer is using the Roslyn compiler (e.g., Visual Studio, dotnet CLI) to compile C# code as part of normal development tasks.
Filter/Exclusion: Check for the presence of known development tools (e.g., dotnet, csc.exe, VisualStudio.exe) or process names associated with development environments.
Example Filter: process.name != "dotnet" and process.name != "csc.exe"
Scenario: Scheduled Job for Code Generation
Description: A scheduled job runs a script or tool that dynamically compiles C# code to generate configuration files or artifacts (e.g., using System.Reflection.Emit).
Filter/Exclusion: Exclude processes associated with scheduled tasks (e.g., schtasks.exe, TaskScheduler) or known code generation tools.
Example Filter: process.name != "schtasks.exe" and process.name != "TaskScheduler"
Scenario: Admin Task for Dynamic Code Execution
Description: An administrator is using a tool like PowerShell or C# Interactive Console (e.g., csc.exe in a script) to dynamically compile and execute C# code for debugging or testing.
Filter/Exclusion: Filter out known administrative tools or processes that are commonly used for dynamic code execution.
Example Filter: process.name != "powershell.exe" and process.name != "csc.exe"
Scenario: Integration with CI/CD Pipeline
Description: A CI/CD pipeline (e.g., Jenkins, GitHub Actions) is dynamically compiling C# code as part of a build process.
Filter/Exclusion: Exclude processes associated with CI/CD tools (e.g., jenkins.exe, dotnet.exe, `github-runner