title: Compile After Delivery
description: Both Atomic tests for this technique leverage csc.exe for compilation
  of code. The below will detect specific compilation of executables as well as dynamic
  compilation through detection of csc.exe creating executable files (both dll and
  exe). Filter noise from later portion of query using SrcProcParentName Not In ().
author: keyboardcrunch
date: 10/10/2020
modified: null
mitre:
   tactic: Defense Evasion
   technique: T1027
   subtechnique: 004
operating_system: windows
query: (TgtProcName = "csc.exe" AND SrcProcCmdLine Contains "/target:exe") OR (SrcProcName  =
  "csc.exe" AND TgtFileIsExecutable = "true" AND SrcProcParentName Not In ("svchost.exe"))
false_positives: null
tags: null