CSIS RESEARCH - Windows Covert Compilers III

Tech Blog
Windows Covert Compilers III.

Dénes Olivér Óvári, Detection and Response Architect
CSIS Security Group A/S

A three-part blog series focusing on the Digital Forensics and Incident Response aspect of the compilers shipped with the Windows operating system and their usage from PowerShell.

This post describes some of the typical artifacts left behind if the built-in C#, Visual Basic or JScript compilers are used in Windows through PowerShell.

All the artifacts listed below are collected and analysed by CSIS' proprietary Chronos platform.

Temporary directory

A file name consisting of 8 random characters is used to name the temporary files created by TempFileCollection, such as mxsuwxha.

These files get deleted almost immediately and will not leave any artifacts due to caching. The only exception is when PowerShell runs as an elevated process. Then the files are dropped to a directory with the same name, such as %TEMP%\mxsuwxha and this folder might remain on the disk.

Prefetch files

The Prefetch files associated with the used external executables might contain entries referring to the used temporary files located either in %TEMP% or in %TEMP%\mxsuwxha, and to the "Resource File To COFF Object Conversion Utility" as well.

Below we'll show examples for each of these filenames. Remember - all of them contain random characters except for cvtres.exe.

C# and Visual Basic
csc.exe / vbc.exe

CSC36B119A4DAD6481187D6FD28CCE345C2.TMP or
VBC36B119A4DAD6481187D6FD28CCE345C2.TMP (random UUID)

mxsuwxha.0.CS or mxsuwxha.0.VB




RES5B41.TMP (4 random characters)




%TEMP%\mxsuwxha\CSC36B119A4DAD6481187D6FD28CCE345C2.TMP or
%TEMP%\mxsuwxha\VBC36B119A4DAD6481187D6FD28CCE345C2.TMP (random UUID)

%TEMP%\mxsuwxha\RES5B41.TMP (4 random characters)



%TEMP%\mxsuwxha\RES5B41.TMP (4 random characters)

Windows Event Log

The expected PowerShell-related Event Log entries (see [1]) could be observed.

Thanks to my colleague, Conor Kelly for his review.
"Jscript, Microsoft, PowerShell, Windows are trademarks of the Microsoft group of companies."


[1] Vikas, PowerShell Command History Forensics, 2020.