2019-12-11 11:23:12 +01:00
|
|
|
---
|
2020-01-07 08:40:24 +01:00
|
|
|
Name: Dotnet.exe
|
2019-12-11 11:23:12 +01:00
|
|
|
Description: dotnet.exe comes with .NET Framework
|
|
|
|
Author: 'felamos'
|
|
|
|
Created: '2019-11-12'
|
|
|
|
Commands:
|
|
|
|
- Command: dotnet.exe [PATH_TO_DLL]
|
|
|
|
Description: dotnet.exe will execute any dll even if applocker is enabled.
|
|
|
|
Category: AWL Bypass
|
|
|
|
Privileges: User
|
|
|
|
MitreID: T1218
|
|
|
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
|
|
|
OperatingSystem: Windows 7 and up with .NET installed
|
|
|
|
- Command: dotnet.exe [PATH_TO_DLL]
|
|
|
|
Description: dotnet.exe will execute any DLL.
|
|
|
|
Usecase: Execute DLL
|
|
|
|
Category: Execute
|
|
|
|
Privileges: User
|
|
|
|
MitreID: T1218
|
|
|
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
|
|
|
OperatingSystem: Windows 7 and up with .NET installed
|
2020-07-03 20:56:06 +02:00
|
|
|
- Command: dotnet.exe msbuild [Path_TO_XML_CSPROJ]
|
|
|
|
Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code
|
|
|
|
Category: AWL Bypass
|
|
|
|
Privileges: User
|
|
|
|
MitreID: T1218
|
|
|
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
|
|
|
|
OperatingSystem: Windows 10 with .NET Core installed
|
2019-12-11 11:23:12 +01:00
|
|
|
Full_Path:
|
|
|
|
- Path: 'C:\Program Files\dotnet\dotnet.exe'
|
|
|
|
Detection:
|
|
|
|
- IOC: dotnet.exe spawned an unknown process
|
|
|
|
Resources:
|
|
|
|
- Link: https://twitter.com/_felamos/status/1204705548668555264
|
2020-07-03 20:56:06 +02:00
|
|
|
- Link: https://gist.github.com/bohops/3f645a7238d8022830ecf5511b3ecfbc
|
|
|
|
- Link: https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
|
2019-12-11 11:23:12 +01:00
|
|
|
Acknowledgement:
|
|
|
|
- Person: felamos
|
|
|
|
Handle: '@_felamos'
|
2020-07-03 20:56:06 +02:00
|
|
|
- Person: Jimmy
|
|
|
|
Handle: '@bohops'
|
2019-12-11 11:23:12 +01:00
|
|
|
---
|