Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE

 1title: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
 2id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3
 3status: test
 4description: Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE.
 5references:
 6    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/
 7    - https://twitter.com/_felamos/status/1204705548668555264
 8    - https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
 9author: Beyu Denis, oscd.community
10date: 2020/10/18
11modified: 2024/04/24
12tags:
13    - attack.defense_evasion
14    - attack.t1218
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        - Image|endswith: '\dotnet.exe'
21        - OriginalFileName: '.NET Host'
22    selection_cli:
23        CommandLine|endswith:
24            - '.csproj'
25            - '.csproj"'
26            - '.dll'
27            - '.dll"'
28            - ".csproj'"
29            - ".dll'"
30    condition: all of selection_*
31falsepositives:
32    - Legitimate administrator usage
33level: medium

References

• Dotnet | LOLBAS

  dotnet.exe will open a console which allows for the execution of arbitrary F# commands dotnet.exe fsi Use caseExecute arbitrary F# code Privileges requiredUser Operating systemsWindows 10 and up wi...

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• DotNet Core: A Vector For AWL Bypass & Defense Evasion

  

  [*] Introduction .NET Core is an open-source, cross-platform framework for building and running applications.  The framework was introduced in 2014 as the (eventual) successor to the ever-popu…

  
  Read More

Related rules

• COM Object Execution via Xwizard.EXE
• Potential Application Whitelisting Bypass via Dnx.EXE
• Potential Arbitrary File Download Via Cmdl32.EXE
• Potential Binary Proxy Execution Via Cdb.EXE
• Process Memory Dump Via Dotnet-Dump