This detection rule targets the misuse of the C# compiler (csc.exe) by adversaries who attempt to obscure malicious payloads by delivering them as source code rather than compiled binaries. By executing csc.exe from suspicious directories such as \AppData or \Windows\Temp, threats may compile these payloads on victim machines, evading detection by traditional security mechanisms. The rule captures such incidents by monitoring for event code 1 (process creation) from Sysmon logs, applying regex patterns to filter for unwanted parent processes and suspicious file paths. Utilizing Sysmon enhances the fidelity of the detection, allowing for better insight into the process creation logs. The rule also associates with defense evasion techniques, specifically the tactic of creating obfuscated files or information through delayed compilation of the payload. This approach contributes to the broader context of threat actor activities associated with tactics like those utilized by Alpha (STAC1248).