auto-generated queries from markdown notes

queries/windows/compile_after_delivery.yml

@@ -0,0 +1,18 @@
+title: Compile After Delivery
+description: Both Atomic tests for this technique leverage csc.exe for compilation
+  of code. The below will detect specific compilation of executables as well as dynamic
+  compilation through detection of csc.exe creating executable files (both dll and
+  exe). Filter noise from later portion of query using SrcProcParentName Not In ().
+author: keyboardcrunch
+date: 10/10/2020
+modified: null
+mitre:
+   tactic: Defense Evasion
+   technique: T1027
+   subtechnique: 004
+operating_system: windows
+query: (TgtProcName = "csc.exe" AND SrcProcCmdLine Contains "/target:exe") OR (SrcProcName  =
+  "csc.exe" AND TgtFileIsExecutable = "true" AND SrcProcParentName Not In ("svchost.exe"))
+false_positives: null
+tags: null
+