FsiAnyCpu.exe

32/64-bit FSharp (F#) Interpreter included with Visual Studio.

Paths

• c:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsianycpu.exe

Commands

AWL Bypass

Execute F# code via script file

Use case: Execute payload with Microsoft signed binary to bypass WDAC policies

Privileges: User

fsianycpu.exe {PATH:.fsscript}

AWL Bypass

Execute F# code via interactive command line

Use case: Execute payload with Microsoft signed binary to bypass WDAC policies

Privileges: User

fsianycpu.exe

Detection

• BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
• IOC: FsiAnyCpu.exe execution may be suspicious on non-developer machines
• Sigma: https://github.com/SigmaHQ/sigma/blob/6b34764215b0e97e32cbc4c6325fc933d2695c3a/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml

Resources

• https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/