Aspnet_Compiler.exe
ASP.NET Compilation Tool
Paths
c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exec:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Commands
AWL Bypass
Execute C# code with the Build Provider and proper folder structure in place.
Use case: Execute proxied payload with Microsoft signed binary to bypass application control solutions
Privileges: User
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -uDetection
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_lolbin_aspnet_compiler.yml