public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-10-23 17:19:23 +02:00
Code Issues Projects Releases Wiki Activity
c24cad7868
LOLBAS/yml/OtherMSBinaries/Dotnet.yml

41 lines
1.6 KiB
YAML
Raw Normal View History

Create dotnet.yml
2019-12-11 11:23:12 +01:00
---
Capitalized dotnet name
2020-01-07 08:40:24 +01:00
Name: Dotnet.exe
Create dotnet.yml
2019-12-11 11:23:12 +01:00
Description: dotnet.exe comes with .NET Framework
Author: 'felamos'
Standardise date formats (see https://yaml.org/type/timestamp.html)
2021-01-10 16:04:52 +01:00
Created: 2019-11-12
Create dotnet.yml
2019-12-11 11:23:12 +01:00
Commands:
- Command: dotnet.exe [PATH_TO_DLL]
Description: dotnet.exe will execute any dll even if applocker is enabled.
Category: AWL Bypass
Privileges: User
MitreID: T1218
OperatingSystem: Windows 7 and up with .NET installed
- Command: dotnet.exe [PATH_TO_DLL]
Description: dotnet.exe will execute any DLL.
Usecase: Execute DLL
Category: Execute
Privileges: User
MitreID: T1218
OperatingSystem: Windows 7 and up with .NET installed
Added dotnet msbuild awl bypass technique
2020-07-03 20:56:06 +02:00
- Command: dotnet.exe msbuild [Path_TO_XML_CSPROJ]
Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code
Category: AWL Bypass
Privileges: User
MitreID: T1218
OperatingSystem: Windows 10 with .NET Core installed
Create dotnet.yml
2019-12-11 11:23:12 +01:00
Full_Path:
- Path: 'C:\Program Files\dotnet\dotnet.exe'
Standardise date formats (see https://yaml.org/type/timestamp.html)
2021-01-10 16:04:52 +01:00
Detection:
Detection Resources and Other Updates (#179) * Add detection links for scripts * Add detection links for OtherMSBins. Fixed and updated as needed. * Add detection links for MSBins. Fixed and updated as needed. * Add detection links for oslibraries * Updating template for Detections * Removing empty Detection:Sigma entries * Remove redundant blank line * Replacing commit URL with file URL Co-authored-by: root <root@DESKTOP-5CR935D.localdomain> Co-authored-by: Wietze <wietze@users.noreply.github.com>
2021-11-15 14:19:03 +01:00
- Sigma: https://github.com/SigmaHQ/sigma/blob/0bf262539301693a18646056ea789b9b56b9c7f6/rules/windows/process_creation/process_creation_dotnet.yml
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
Create dotnet.yml
2019-12-11 11:23:12 +01:00
- IOC: dotnet.exe spawned an unknown process
Resources:
- Link: https://twitter.com/_felamos/status/1204705548668555264
Added dotnet msbuild awl bypass technique
2020-07-03 20:56:06 +02:00
- Link: https://gist.github.com/bohops/3f645a7238d8022830ecf5511b3ecfbc
- Link: https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
Create dotnet.yml
2019-12-11 11:23:12 +01:00
Acknowledgement:
- Person: felamos
Handle: '@_felamos'
Added dotnet msbuild awl bypass technique
2020-07-03 20:56:06 +02:00
- Person: Jimmy
Standardise date formats (see https://yaml.org/type/timestamp.html)
2021-01-10 16:04:52 +01:00
Handle: '@bohops'
Reference in New Issue Copy Permalink