Binary Proxy Execution Via Dotnet-Trace.EXE

calendar Jan 10, 2024 · attack.execution attack.defense_evasion attack.t1218  ·
Share on: linkedin copy

Detects commandline arguments for executing a child process via dotnet-trace.exe

Sigma rule (View on GitHub)

 1title: Binary Proxy Execution Via Dotnet-Trace.EXE
 2id: 9257c05b-4a4a-48e5-a670-b7b073cf401b
 3status: experimental
 4description: Detects commandline arguments for executing a child process via dotnet-trace.exe
 5references:
 6    - https://twitter.com/bohops/status/1740022869198037480
 7author: Jimmy Bayne (@bohops)
 8date: 2024/01/02
 9tags:
10    - attack.execution
11    - attack.defense_evasion
12    - attack.t1218
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_img:
18        - Image|endswith: '\dotnet-trace.exe'
19        - OriginalFileName: 'dotnet-trace.dll'
20    selection_cli:
21        CommandLine|contains|all:
22            - '-- '
23            - 'collect'
24    condition: all of selection_*
25falsepositives:
26    - Legitimate usage of the utility in order to debug and trace a program.
27level: medium

References

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

Related rules

to-top