This anomaly detects potential signed binary proxy execution on Windows endpoints by flagging the launch of common .NET utilities (aspnet_compiler.exe, msbuild.exe, regasm.exe, InstallUtil.exe, or vbc.exe) when their parent process is a script (batch, CMD, PowerShell, JScript, VBScript, or HTML) running from an unusual or user-writable Windows location (e.g., Public, Temp, Fonts, Debug, Recycle Bin, Prefetch, or similar paths). The rule requires that the child process shows little or no command-line variation from the image path or name, which is indicative of adversaries using trusted .NET binaries to execute code while hiding behind script parents in low-trust folders. This behavior aligns with signed binary proxy execution (MITRE ATT&CK T1218). In practice, telemetry from EDRs (Sysmon EventID 1, Windows Security Event Log 4688, and CrowdStrike ProcessRollup2) is correlated to identify a .NET binary being invoked within the context of a script launcher and in a suspicious directory. When matched, the rule raises an anomaly that can be triaged by examining the destination host, the user, the parent-child process relationship, and the exact command line used by the .NET utility. The pattern is notable for using legitimate, widely trusted binaries as a proxy to run code in a stealthy manner, making it a high-priority signal for potential credential or code execution abuse on Windows endpoints.