In light of recent malware behavior, playing around with .NET CSharpCodeProvider runtime compiler yielded some interesting results:

It does still execute csc.exe
Even If GenerateInMemory=true, it will drop a random dll to %TEMP%
This occurs even if GenerateExecutable=true

By default the CSC command line passed by this execution method is set to : "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"%TEMP%\<RANDOMFILE>.cmdline"

the referenced .NET version may vary due to env variables and compiled .NET version

So by default if a piece of malware has used this method forensic evidence will still remain in %TEMP% as the form of a randomly named .dll file.

This file can be easily decompiled using tools such as JetBrain's DotPeek in order to reverse engineer what the malware has executed

So for you red teamer's out there, after you have gained access to your .NET run time compiled code - make sure you locate the physical assembly and delete it from disk in order to prevent easy reverse engineering.

For blue team, you always want to monitor/block access to csc.exe.
If you are running some process monitor logs a run time compiled .NET binary will make the following files that are deleted by default in %TEMP%:
*.tmp
*.X.X.cs (X.X being framework version ie 2.0)
*.dll
*.cmdline

These files are removed by default except the .dll upon successful runtime compilation.