mirror of
https://github.com/keyboardcrunch/sentinelone-queries
synced 2026-06-09 09:27:16 +00:00
@
19 lines
743 B
YAML
19 lines
743 B
YAML
title: Compile After Delivery
|
|
description: Both Atomic tests for this technique leverage csc.exe for compilation
|
|
of code. The below will detect specific compilation of executables as well as dynamic
|
|
compilation through detection of csc.exe creating executable files (both dll and
|
|
exe). Filter noise from later portion of query using SrcProcParentName Not In ().
|
|
author: keyboardcrunch
|
|
date: 10/10/2020
|
|
modified: null
|
|
mitre:
|
|
tactic: Defense Evasion
|
|
technique: T1027
|
|
subtechnique: 004
|
|
operating_system: windows
|
|
query: (TgtProcName = "csc.exe" AND SrcProcCmdLine Contains "/target:exe") OR (SrcProcName =
|
|
"csc.exe" AND TgtFileIsExecutable = "true" AND SrcProcParentName Not In ("svchost.exe"))
|
|
false_positives: null
|
|
tags: null
|
|
|