Potential Application Whitelisting Bypass via Dnx.EXE
Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code. Attackers might abuse this in order to bypass application whitelisting.
Sigma rule (View on GitHub)
1title: Potential Application Whitelisting Bypass via Dnx.EXE
2id: 81ebd28b-9607-4478-bf06-974ed9d53ed7
3status: test
4description: |
5 Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code.
6 Attackers might abuse this in order to bypass application whitelisting.
7references:
8 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/
9 - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
10author: Beyu Denis, oscd.community
11date: 2019/10/26
12modified: 2024/04/24
13tags:
14 - attack.defense_evasion
15 - attack.t1218
16 - attack.t1027.004
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 Image|endswith: '\dnx.exe'
23 condition: selection
24falsepositives:
25 - Legitimate use of dnx.exe by legitimate user
26level: medium
References
-
Use csi.exe to run unsigned C# code. csi.exe file Use caseLocal execution of unsigned C# code. Privileges requiredUser Operating systemsWindows ATT&CK® techniqueT1127
Read More -
Over the past few weeks, I have had the pleasure to work side-by-side with Matt Graeber (@mattifestation) and Casey Smith (@subtee) researching Device Guard user mode code integrity (UMCI) bypasses…
Read More
Related rules
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- COM Object Execution via Xwizard.EXE
- Potential Arbitrary File Download Via Cmdl32.EXE
- Potential Binary Proxy Execution Via Cdb.EXE
- Process Memory Dump Via Dotnet-Dump