csc.exe
- File Path:
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\csc.exe - Description: Visual C# Command Line Compiler
- Comments: Flavor=Retail
Hashes
| Type | Hash |
|---|---|
| MD5 | 749B60EA8762B3BC3494906FD7025497 |
| SHA1 | 1694340AB9FBE2692A95D9B18575C6959B01C7E9 |
| SHA256 | 4458132AFC157ED1943F0FEE08FB8DCE30B46ECA73AC07C45026378B47D8BE64 |
| SHA384 | 8EE0CAF2F94CFF0D42AF9BB7C2ED2AB835EF975F3E1E4720FCB34F305021E74247BFA9DE99ED0D2201820A9E66077280 |
| SHA512 | F5879F5B113F2C32E97245F28D6A2A7D1BBACDCD367146C1AFDEE6E8854B766BE45AC2DA34BAD646CC780F957D95E0033F9EC8831D27FDADC7A6FD50C5002021 |
| SSDEEP | 49152:Ynqqr9wJI6S7RSSon9X6f4IeY0+h1s410I1xIdcxyjtq:Ynq29lFHon9X5Iddq41LxryM |
| IMP | 950FB6F62526333E663D35BA72D19DDC |
| PESHA1 | 9F8BA240EB70A49B8EED0BBD53584EC55C7C7BF8 |
| PE256 | BCDB4587E72A3E61BC1F6311A5987E255C142B2C3A62E3A7A104D4E44F3DD120 |
Runtime Data
Usage (stdout):
Microsoft (R) Visual C# Compiler version 4.8.4161.0
for C# 5
Copyright (C) Microsoft Corporation. All rights reserved.
This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240
Visual C# Compiler Options
- OUTPUT FILES -
/out:<file> Specify output file name (default: base name of file with main class or first file)
/target:exe Build a console executable (default) (Short form: /t:exe)
/target:winexe Build a Windows executable (Short form: /t:winexe)
/target:library Build a library (Short form: /t:library)
/target:module Build a module that can be added to another assembly (Short form: /t:module)
/target:appcontainerexe Build an Appcontainer executable (Short form: /t:appcontainerexe)
/target:winmdobj Build a Windows Runtime intermediate file that is consumed by WinMDExp (Short form: /t:winmdobj)
/doc:<file> XML Documentation file to generate
/platform:<string> Limit which platforms this code can run on: x86, Itanium, x64, arm, anycpu32bitpreferred, or anycpu. The default is anycpu.
- INPUT FILES -
/recurse:<wildcard> Include all files in the current directory and subdirectories according to the wildcard specifications
/reference:<alias>=<file> Reference metadata from the specified assembly file using the given alias (Short form: /r)
/reference:<file list> Reference metadata from the specified assembly files (Short form: /r)
/addmodule:<file list> Link the specified modules into this assembly
/link:<file list> Embed metadata from the specified interop assembly files (Short form: /l)
- RESOURCES -
/win32res:<file> Specify a Win32 resource file (.res)
/win32icon:<file> Use this icon for the output
/win32manifest:<file> Specify a Win32 manifest file (.xml)
/nowin32manifest Do not include the default Win32 manifest
/resource:<resinfo> Embed the specified resource (Short form: /res)
/linkresource:<resinfo> Link the specified resource to this assembly (Short form: /linkres)
Where the resinfo format is <file>[,<string name>[,public|private]]
- CODE GENERATION -
/debug[+|-] Emit debugging information
/debug:{full|pdbonly} Specify debugging type ('full' is default, and enables attaching a debugger to a running program)
/optimize[+|-] Enable optimizations (Short form: /o)
- ERRORS AND WARNINGS -
/warnaserror[+|-] Report all warnings as errors
/warnaserror[+|-]:<warn list> Report specific warnings as errors
/warn:<n> Set warning level (0-4) (Short form: /w)
/nowarn:<warn list> Disable specific warning messages
- LANGUAGE -
/checked[+|-] Generate overflow checks
/unsafe[+|-] Allow 'unsafe' code
/define:<symbol list> Define conditional compilation symbol(s) (Short form: /d)
/langversion:<string> Specify language version mode: ISO-1, ISO-2, 3, 4, 5, or Default
- SECURITY -
/delaysign[+|-] Delay-sign the assembly using only the public portion of the strong name key
/keyfile:<file> Specify a strong name key file
/keycontainer:<string> Specify a strong name key container
/highentropyva[+|-] Enable high-entropy ASLR
/enforcecodeintegrity[+|-] Enforce code intergrity checks on all inputs to the compiler and enable loading compiled assemblies by other programs that enforce code integrity if the operating system is configured to do so.
- MISCELLANEOUS -
@<file> Read response file for more options
/help Display this usage message (Short form: /?)
/nologo Suppress compiler copyright message
/noconfig Do not auto include CSC.RSP file
- ADVANCED -
/baseaddress:<address> Base address for the library to be built
/bugreport:<file> Create a 'Bug Report' file
/codepage:<n> Specify the codepage to use when opening source files
/utf8output Output compiler messages in UTF-8 encoding
/main:<type> Specify the type that contains the entry point (ignore all other possible entry points) (Short form: /m)
/fullpaths Compiler generates fully qualified paths
/filealign:<n> Specify the alignment used for output file sections
/pdb:<file> Specify debug information file name (default: output file name with .pdb extension)
/errorendlocation Output line and column of the end location of each error
/preferreduilang Specify the preferred output language name.
/nostdlib[+|-] Do not reference standard library (mscorlib.dll)
/subsystemversion:<string> Specify subsystem version of this assembly
/lib:<file list> Specify additional directories to search in for references
/errorreport:<string> Specify how to handle internal compiler errors: prompt, send, queue, or none. The default is queue.
/appconfig:<file> Specify an application configuration file containing assembly binding settings
/moduleassemblyname:<string> Name of the assembly which this module will be a part of
Loaded Modules:
| Path |
|---|
| C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\csc.exe |
| C:\WINDOWS\SYSTEM32\ntdll.dll |
| C:\WINDOWS\System32\wow64.dll |
| C:\WINDOWS\System32\wow64base.dll |
| C:\WINDOWS\System32\wow64con.dll |
| C:\WINDOWS\System32\wow64cpu.dll |
| C:\WINDOWS\System32\wow64win.dll |
Signature
- Status: Signature verified.
- Serial:
33000002ED2C45E4C145CF48440000000002ED - Thumbprint:
312860D2047EB81F8F58C29FF19ECDB4C634CF6A - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: csc.exe
- Product Name: Microsoft .NET Framework
- Company Name: Microsoft Corporation
- File Version: 4.8.4161.0 built by: NET48REL1
- Product Version: 4.8.4161.0
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/75
- VirusTotal Link: https://www.virustotal.com/gui/file/4458132afc157ed1943f0fee08fb8dce30b46eca73ac07c45026378b47d8be64/detection
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | 96 |
Possible Misuse
The following table contains possible examples of csc.exe being misused. While csc.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_exploit_cve_2017_8759.yml | description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759 |
DRL 1.0 |
| sigma | proc_creation_win_exploit_cve_2017_8759.yml | Image\|endswith: '\csc.exe' |
DRL 1.0 |
| sigma | proc_creation_win_possible_applocker_bypass.yml | #- '\csc.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_csc.yml | title: Suspicious Parent of Csc.exe |
DRL 1.0 |
| sigma | proc_creation_win_susp_csc.yml | description: Detects a suspicious parent of csc.exe, which could by a sign of payload delivery |
DRL 1.0 |
| sigma | proc_creation_win_susp_csc.yml | Image\|endswith: '\csc.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_csc_folder.yml | title: Suspicious Csc.exe Source File Folder |
DRL 1.0 |
| sigma | proc_creation_win_susp_csc_folder.yml | description: Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData) |
DRL 1.0 |
| sigma | proc_creation_win_susp_csc_folder.yml | Image\|endswith: '\csc.exe' |
DRL 1.0 |
| LOLBAS | Csc.yml | Name: Csc.exe |
|
| LOLBAS | Csc.yml | - Command: csc.exe -out:My.exe File.cs |
|
| LOLBAS | Csc.yml | Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to My.exe. |
|
| LOLBAS | Csc.yml | Description: Use CSC.EXE to compile C# code stored in File.cs and output the compiled version to a dll file. |
|
| LOLBAS | Csc.yml | - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe |
|
| LOLBAS | Csc.yml | - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe |
|
| LOLBAS | Csc.yml | - IOC: Csc.exe should normally not run as System account unless it is used for development. |
|
| LOLBAS | Csc.yml | - Link: https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/compiler-options/command-line-building-with-csc-exe |
|
| LOLBAS | Microsoft.Workflow.Compiler.yml | - IOC: The presence of csc.exe or vbc.exe as child processes of Microsoft.Workflow.Compiler.exe |
|
| malware-ioc | nukesped_lazarus | .csc.exe``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
| atomic-red-team | index.md | - Atomic Test #1: Compile After Delivery using csc.exe [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #1: Compile After Delivery using csc.exe [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | T1010.md | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} #{input_source_code} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1027.004.md | <blockquote>Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1027.004.md | - Atomic Test #1 - Compile After Delivery using csc.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1027.004.md | ## Atomic Test #1 - Compile After Delivery using csc.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1027.004.md | Compile C# code using csc.exe binary used by .NET | MIT License. © 2018 Red Canary |
| atomic-red-team | T1027.004.md | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:#{output_file} #{input_file} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1106.md | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:”#{output_file}” /target:exe #{source_file} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.009.md | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:”#{output_file}” /target:library #{source_file} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.009.md | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:”#{output_file}” /target:library /keyfile:$env:Temp\key.snk #{source_file} | MIT License. © 2018 Red Canary |
MIT License. Copyright (c) 2020-2021 Strontic.