Skip to main content
Splunk Lantern

.NET assemblies being compiled

You might need to know if .NET assemblies are being compiled when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

Your company uses SolarWinds Orion business software, which is vulnerable to the Supernova in-memory web shell attack. You know that because it runs in memory, detection and forensic analysis post-breach are difficult. You want to determine if .NET assemblies are being compiled.

Option 1

To optimize the search shown below, you should specify an index and a time range. In addition, content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). This search requires the Endpoint data model. For information on installing and using the CIM, see the Common Information Model documentation.

  1. Ensure that your deployment is ingesting endpoint logs from your various systems and populating the Endpoint data model.
  2. Run the following search:
    | tstats count FROM datamodel=Endpoint.Processes WHERE
    Processes.process_exec=cvtres.exe Processes.parent_process_exec=csc.exe 
    groupby Processes.process_exec Processes.process_id Processes.process 
    Processes.parent_process_exec Processes.parent_process 
    Processes.parent_process_id Processes.dest Processes.user 
    Processes.vendor_product _time span=1s

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| tstats count FROM datamodel=Endpoint.Processes WHERE
Processes.process_exec=cvtres.exe Processes.parent_process_exec=csc.exe 
groupby Processes.process_exec Processes.process_id Processes.process 
Processes.parent_process_exec Processes.parent_process 
Processes.parent_process_id Processes.dest Processes.user 
Processes.vendor_product _time span=1s

Query the Endpoint data model for the creation of CSC.exe and CVTRES.exe as child processes during execution of .NET apps.

Option 2

To optimize the search shown below, you should specify an index and a time range. 

  1. Ensure that your deployment is ingesting Microsoft Sysmon data.
  2. Run the following search:
    sourcetype=xmlwineventlog:microsoft-windows-sysmon/operational EventCode=1 
    CommandLine=*cvtres.exe* ParentCommandLine=*csc.exe*
    | table _time CommandLine ParentCommandLine User host ProcessId ParentProcessId

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
sourcetype=xmlwineventlog:microsoft-windows-sysmon/operational Search only Sysmon operational data.
EventCode=1  Search for event code 1, which indicates process creation.
CommandLine=*cvtres.exe* ParentCommandLine=*csc.exe* Search for the text shown in the command line data and in the parent command line data.
| table _time CommandLine ParentCommandLine User host ProcessId ParentProcessId Display the results in a table with columns in the order shown.

Result

Because many .NET apps can create CSC.exe and CVTRES.exe as child processes during execution, this is a tactic to hunt, not to deploy as a signature with your SIEM. This is not an indicator of compromise but, it may be worth the time to run this search and then hunt for additional actions occurring immediately after this behavior on vulnerable systems.