
Summary
This detection rule identifies the execution of F# interpreters, specifically `FsiAnyCpu.exe` and `FSi.exe`. These interpreters can facilitate AWL (Application Whitelisting) bypass and support the execution of arbitrary F# scripts, which may pose a security risk. The rule employs a selection criteria based on the process creation logs in Windows, looking for images that specify the end of their path as either `fsi.exe` or `fsianycpu.exe`, as well as original file names matching these interpreters. A medium-level threat is associated with this detection, highlighting the potential for misuse by malicious actors to execute unauthorized scripts. Due to the context-sensitive nature of F# interpreters, false positives may occur, particularly in scenarios where legitimate use is prevalent among software developers.
Categories
- Windows
Data Sources
- Process
Created: 2022-06-02