Potential Application Whitelisting Bypass via Dnx.EXE
Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code. Attackers might abuse this in order to bypass application whitelisting.
Sigma rule (View on GitHub)
1title: Potential Application Whitelisting Bypass via Dnx.EXE
2id: 81ebd28b-9607-4478-bf06-974ed9d53ed7
3status: test
4description: |
5 Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code.
6 Attackers might abuse this in order to bypass application whitelisting.
7references:
8 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/
9 - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
10author: Beyu Denis, oscd.community
11date: 2019-10-26
12modified: 2024-04-24
13tags:
14 - attack.defense-evasion
15 - attack.t1218
16 - attack.t1027.004
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 Image|endswith: '\dnx.exe'
23 condition: selection
24falsepositives:
25 - Legitimate use of dnx.exe by legitimate user
26level: medium
References
-
csi.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
Over the past few weeks, I have had the pleasure to work side-by-side with Matt Graeber (@mattifestation) and Casey Smith (@subtee) researching Device Guard user mode code integrity (UMCI) bypasses…
Read More
Related rules
- Abusing Print Executable
- AddinUtil.EXE Execution From Uncommon Directory
- AgentExecutor PowerShell Execution
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Arbitrary File Download Via MSOHTMED.EXE