Skip to content

Hide Navigation Hide TOC

Suspicious Csi.exe Usage (40b95d31-1afc-469e-8d34-9a3a667d058e)

Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'

Cluster A Galaxy A Cluster B Galaxy B Level
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Suspicious Csi.exe Usage (40b95d31-1afc-469e-8d34-9a3a667d058e) Sigma-Rules 1
Suspicious Csi.exe Usage (40b95d31-1afc-469e-8d34-9a3a667d058e) Sigma-Rules Software Deployment Tools - T1072 (92a78814-b191-47ca-909c-1ccfe3777414) Attack Pattern 1