This post will explore code execution with aspnet_compiler.exe. I’m going to outline how to use the Microsoft signed executable to load & execute a local DLL builder and quickly discuss defensive opportunities. However, before going further, I would like to thank Lee Kagan and Antonlovesdnb for looking at BringYourOwnBuilder from a defensive standpoint.
A couple of weeks ago I was poking around the Microsoft.NET directory and came across aspnet_compiler.exe. Naturally, *_compiler.exe is eyebrow raising, so I decided to take a look at the command-line options; quite a bit to drink in.
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe -v none -p C:\users\cpl.internal\desktop\asptest\ -f C:\users\cpl.internal\desktop\asptest\none -u
Inspecting the command above with procmon gives the following results.