Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE

 1title: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
 2id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3
 3status: test
 4description: Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE.
 5references:
 6    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/
 7    - https://twitter.com/_felamos/status/1204705548668555264
 8    - https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
 9author: Beyu Denis, oscd.community
10date: 2020-10-18
11modified: 2025-10-08
12tags:
13    - attack.defense-evasion
14    - attack.t1218
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        - Image|endswith: '\dotnet.exe'
21        - OriginalFileName: '.NET Host'
22    selection_cli:
23        CommandLine|endswith:
24            - '.csproj'
25            - '.csproj"'
26            - '.dll'
27            - '.dll"'
28            - ".csproj'"
29            - ".dll'"
30    filter_optional_notepad++:
31        ParentImage:
32            - 'C:\Program Files (x86)\Notepad++\notepad++.exe'
33            - 'C:\Program Files\Notepad++\notepad++.exe'
34        CommandLine|contains|all:
35            - 'C:\ProgramData\CSScriptNpp\'
36            - '-cscs_path:'
37            - '\cs-script\cscs.dll'
38    condition: all of selection_* and not 1 of filter_optional_*
39falsepositives:
40    - Legitimate administrator usage
41level: medium

References

• Dotnet on LOLBAS

  

  Dotnet.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

• 

  Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.

  
  Read More

• DotNet Core: A Vector For AWL Bypass & Defense Evasion

  

  [*] Introduction .NET Core is an open-source, cross-platform framework for building and running applications.  The framework was introduced in 2014 as the (eventual) successor to the ever-popu…

  
  Read More

Related rules

• Process Proxy Execution Via Squirrel.EXE
• Verclsid.exe Runs COM Object
• Potentially Suspicious Child Processes Spawned by ConHost
• Scheduled Task Creation with Curl and PowerShell Execution Combo
• Curl Download And Execute Combination