> Technique · aspnet_compiler process-name sandbox evasion_

~/packetpursuit $ cat /intel/techniques/aspnet-compiler-sandbox-evasion.md

typetechniqueconfidencehighcreated2026-05-30updated2026-05-30anti-vmanti-debugevasiondefense-evasion

aspnet_compiler process-name sandbox evasion

A behavioral sandbox-evasion technique in which malware checks the process list for the presence of aspnet_compiler.exe before executing its payload. The absence of this process indicates a non-development / potentially automated analysis environment, causing the malware to abort or wait.

What It Does

aspnet_compiler.exe is a legitimate .NET build tool distributed with the Windows SDK / .NET Framework. It is commonly present on developer workstations but rarely present in clean sandbox VMs or automated analysis environments. Malware checks Get-Process aspnet_compiler (or equivalent WMI query) and proceeds only if the process is found.

Detection / Fingerprint

  • PowerShell or WMI queries for process name aspnet_compiler (case-insensitive)
  • Conditional logic: if process missing → sleep, exit, or take a benign code path
  • Often paired with other process checks (e.g. vmtoolsd, VBoxService) in more sophisticated samples

Reproduce on your own VMs

PowerShell gate (research snippet)

function Confirm-ProcessMissing($ProcessIdentifier) {
    $processInfo = Get-Process -Name $ProcessIdentifier -ErrorAction SilentlyContinue
    return ($null -eq $processInfo)
}

if (Confirm-ProcessMissing -ProcessIdentifier "aspnet_compiler") {
    Write-Host "Sandbox detected. Exiting."
    exit 0
}

Write-Host "Proceeding with payload."

Verification

Run the script on a clean VM without Visual Studio / .NET SDK installed. It should exit. Install the .NET Framework SDK (which includes aspnet_compiler.exe), run the script again, and it should proceed.

Defensive Countermeasures

  • Pre-load aspnet_compiler.exe (or a decoy with the same name) in sandbox VMs to bypass this check
  • Hunt for process-name queries in PowerShell transcript logs or WMI telemetry
  • Alert on scripts that enumerate processes and then conditionally branch based on the presence of development tools

Pages where observed

  • spamitaInvio proforma.js decrypts a PowerShell stage that checks for aspnet_compiler before decrypting and loading the final .NET assembly ^[report.md]