heroui logo

Use of FSharp Interpreters

Sigma Rules

View Source
Summary
This detection rule identifies the execution of F# interpreters, specifically `FsiAnyCpu.exe` and `FSi.exe`. These interpreters can facilitate AWL (Application Whitelisting) bypass and support the execution of arbitrary F# scripts, which may pose a security risk. The rule employs a selection criteria based on the process creation logs in Windows, looking for images that specify the end of their path as either `fsi.exe` or `fsianycpu.exe`, as well as original file names matching these interpreters. A medium-level threat is associated with this detection, highlighting the potential for misuse by malicious actors to execute unauthorized scripts. Due to the context-sensitive nature of F# interpreters, false positives may occur, particularly in scenarios where legitimate use is prevalent among software developers.
Categories
  • Windows
Data Sources
  • Process
Created: 2022-06-02