0

I've noticed that powershell.exe started csc.exe with a command line like this:

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Windows\TEMP\pn1kld2d.cmdline"

I've read the CSC manual page, but didn't found any clues about what that @ sign does here.

Does anyone know the purpose of this @ sign?

Alex
  • 168
  • 9
  • 1
    I'm *pretty* sure it takes additional arguments from the listed file, but I can't find any reference to back me up. – Ignacio Vazquez-Abrams Apr 01 '18 at 17:29
  • 1
    That's strange, I've seen some Ursnif/Gozi malware samples perform this activity utilizing malicious VBS files. parentname: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe value: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\iuy52nsm.cmdline" cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\x0mmbazr.cmdline" cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /f – Baber Jun 17 '21 at 16:51
  • @Baber, this is explainable because this is (unfortunately!) a common behavior of legit Microsoft products - without ANY opportunity for IT Security team to understand what is actually happening on that machine. So as a security guy, you're always blinded here :( Only a proper EDR solution might help - to some extent, of course... No wonder that malicious actors try to hide in the same behavior. – Alex Jun 20 '21 at 13:31

1 Answers1

2

When in doubts, try inbuilt help csc.exe /help:

==> pushd "C:\Windows\Microsoft.NET\Framework64\v4.0.30319"

==> csc.exe /? | findstr /I "noconfig fullpaths C# @ (R) help"
Microsoft (R) Visual C# Compiler version 4.7.2556.0 for C# 5
This compiler is provided as part of the Microsoft (R) .NET Framework, but only
 supports language versions up to C# 5, which is no longer the latest version.
 For compilers that support newer versions of the C# programming language, see
 http://go.microsoft.com/fwlink/?LinkID=533240
                        Visual C# Compiler Options
@<file>                        Read response file for more options
/help                          Display this usage message (Short form: /?)
/noconfig                      Do not auto include CSC.RSP file
/fullpaths                     Compiler generates fully qualified paths

==>

Then, find csc.exe response file documentation:

@ (C# Compiler Options)

The @ option lets you specify a file that contains compiler options and source code files to compile.

Syntax: @response_file

Arguments: response_file A file that lists compiler options or source code files to compile.

Remarks: The compiler options and source code files will be processed by the compiler just as if they had been specified on the command line.
...

JosefZ
  • 1,514
  • 1
  • 10
  • 18