C# IL Code Compilation Via Ilasm.EXE

Original Source: [Sigma source]
Title: C# IL Code Compilation Via Ilasm.EXE
Status: test
Description:Detects the use of "Ilasm.EXE" in order to compile C# intermediate (IL) code to EXE or DLL.
References:
  -https://lolbas-project.github.io/lolbas/Binaries/Ilasm/
   -https://www.echotrail.io/insights/search/ilasm.exe
 Author: frack113, Nasreddine Bencherchali (Nextron Systems)
Date: 2022-05-07
modified:2022-05-16
Tags:
  • -'attack.defense-evasion'
  • -'attack.t1127'
Logsource:
  • product: windows
  • category: process_creation
Detection:
  selection_img:
Image|endswith:'\ilasm.exe' OriginalFileName:'ilasm.exe'   selection_cli:
    CommandLine|contains:
      -' /dll'
      -' /exe'

  condition:all of selection_*
Falsepositives:
  -Unknown
Level: medium

© 2024 DetectionCode Website. All Rights Reserved.