C# has received some recent attention in the security community, and the Microsoft.Workflow.Compiler.exe security issue recently identified by Matt Graber at SpecterOps prompted us to take a closer look at the potential for using this technique in real-world attacks. Firstly, we will look at how PowerShell fits into the ‘fileless’ attack ecosystem and talk about why attackers may find C# more attractive than PowerShell. Finally, we will look at why the newly found issue in Microsoft.Workflow.Compiler.exe may be useful but – in its current form – cannot be considered a truly ‘fileless’ technique.