Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE

 1title: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
 2id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3
 3status: test
 4description: Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE.
 5references:
 6    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/
 7    - https://twitter.com/_felamos/status/1204705548668555264
 8    - https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
 9author: Beyu Denis, oscd.community
10date: 2020-10-18
11modified: 2024-04-24
12tags:
13    - attack.defense-evasion
14    - attack.t1218
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        - Image|endswith: '\dotnet.exe'
21        - OriginalFileName: '.NET Host'
22    selection_cli:
23        CommandLine|endswith:
24            - '.csproj'
25            - '.csproj"'
26            - '.dll'
27            - '.dll"'
28            - ".csproj'"
29            - ".dll'"
30    condition: all of selection_*
31falsepositives:
32    - Legitimate administrator usage
33level: medium

References

• Dotnet on LOLBAS

  

  Dotnet.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

• x.com

  
  Read More

• DotNet Core: A Vector For AWL Bypass & Defense Evasion

  

  [*] Introduction .NET Core is an open-source, cross-platform framework for building and running applications.  The framework was introduced in 2014 as the (eventual) successor to the ever-popu…

  
  Read More

Related rules

• Abusing Print Executable
• AddinUtil.EXE Execution From Uncommon Directory
• AgentExecutor PowerShell Execution
• Arbitrary File Download Via MSOHTMED.EXE
• Arbitrary File Download Via MSPUB.EXE