title: Suspicious Csc.exe Source File Folder
author: Florian Roth
date: 2019/08/24
description: Detects a suspicious execution of csc.exe, which uses a source in a suspicious
  folder (e.g. AppData)
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    Image: '*\csc.exe'
  SELECTION_3:
    CommandLine:
    - '*\AppData\\*'
    - '*\Windows\Temp\\*'
  SELECTION_4:
    ParentImage: C:\Program Files*
  SELECTION_5:
    ParentImage:
    - '*\sdiagnhost.exe'
    - '*\w3wp.exe'
  SELECTION_6:
    ParentCommandLine:
    - '*\ProgramData\Microsoft\Windows Defender Advanced Threat Protection*'
  condition: (SELECTION_1 and (SELECTION_2 and SELECTION_3) and  not (SELECTION_4
    or SELECTION_5 or SELECTION_6))
falsepositives:
- https://twitter.com/gN3mes1s/status/1206874118282448897
- https://twitter.com/gabriele_pippi/status/1206907900268072962
id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
level: high
logsource:
  category: process_creation
  product: windows
modified: 2021/02/01
references:
- https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/
- https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
- https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/
- https://twitter.com/gN3mes1s/status/1206874118282448897
status: experimental
tags:
- attack.defense_evasion
- attack.t1500
- attack.t1027.004
ruletype: SIGMA