This detection rule targets the use of CSC.exe, a .NET binary used for compiling C# code, which may be exploited by adversaries to execute malicious payloads disguised as legitimate compilations. The objective of the rule is to identify unusual behaviors associated with the execution of CSC.exe and similar binaries on endpoints, leveraging data from event types such as child processes, network connections, and process events. By monitoring for the execution of CSC.exe alongside its associated tooling like cvtres.exe, the detection aims to capture potential attempts of defense evasion via obfuscated files or information. The logic involved aggregates relevant endpoint data, filtering events concerning process creation and networking activities while leveraging Splunk’s query capabilities to present the findings, facilitating the analysis of potentially malicious behavior linked to these .NET compilation tools. This rule aligns with technique T1027.004 of the MITRE ATT&CK framework, which focuses on detecting obfuscated files or information used during attacks, particularly post-delivery of payloads. References to this behavior have been documented in various threat intelligence reports, highlighting its relevance in modern attack scenarios.