--- Name: Microsoft.Workflow.Compiler.exe Description: A utility included with .NET that is capable of compiling and executing C# or VB.net code. Author: 'Conor Richard' Created: '2018-10-22' Commands: - Command: Microsoft.Worflow.Compiler.exe tests.xml results.xml Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.xml file. Usecase: Compile and run code Category: Execution Privileges: User MitreID: T1127 MitreLink: https://attack.mitre.org/wiki/Technique/T1127 OperatingSystem: Windows 10S - Command: Microsoft.Worflow.Compiler.exe tests.txt results.txt Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file. Usecase: Compile and run code Category: Execution Privileges: User MitreID: T1127 MitreLink: https://attack.mitre.org/wiki/Technique/T1127 OperatingSystem: Windows 10S - Command: Microsoft.Worflow.Compiler.exe tests.xml results.xml Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.xml file. Usecase: Compile and run code Category: AWL Bypass Privileges: User MitreID: T1127 MitreLink: https://attack.mitre.org/wiki/Technique/T1127 OperatingSystem: Windows 10S - Command: Microsoft.Worflow.Compiler.exe tests.txt results.txt Description: Compile and execute C# or VB.net code in a XOML file referenced in the test.txt file. Usecase: Compile and run code Category: AWL Bypass Privileges: User MitreID: T1127 MitreLink: https://attack.mitre.org/wiki/Technique/T1127 OperatingSystem: Windows 10S Full Path: - Path: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe Code Sample: - Code: Detection: - IOC: Microsoft.Workflow.Compiler.exe would not normally be run on workstations. - IOC: The presence of csc.exe or vbc.exe as child processes of Microsoft.Workflow.Compiler.exe - IOC: Presence of "