From 5cb17cfb26e281eb40d51a8a2bcde4914cb4abc1 Mon Sep 17 00:00:00 2001
From: Ayush Sahay <47629256+felamos@users.noreply.github.com>
Date: Wed, 11 Dec 2019 15:53:12 +0530
Subject: [PATCH] Create dotnet.yml

---
 yml/OtherMSBinaries/dotnet.yml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 yml/OtherMSBinaries/dotnet.yml

diff --git a/yml/OtherMSBinaries/dotnet.yml b/yml/OtherMSBinaries/dotnet.yml
new file mode 100644
index 0000000..b647d97
--- /dev/null
+++ b/yml/OtherMSBinaries/dotnet.yml
@@ -0,0 +1,31 @@
+---
+Name: dotnet.exe
+Description: dotnet.exe comes with .NET Framework
+Author: 'felamos'
+Created: '2019-11-12'
+Commands:
+  - Command: dotnet.exe [PATH_TO_DLL]
+    Description: dotnet.exe will execute any dll even if applocker is enabled.
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows 7 and up with .NET installed
+  - Command: dotnet.exe [PATH_TO_DLL]
+    Description: dotnet.exe will execute any DLL.
+    Usecase: Execute DLL
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
+    OperatingSystem: Windows 7 and up with .NET installed
+Full_Path:
+  - Path: 'C:\Program Files\dotnet\dotnet.exe'
+Detection: 
+  - IOC: dotnet.exe spawned an unknown process
+Resources:
+  - Link: https://twitter.com/_felamos/status/1204705548668555264
+Acknowledgement:
+  - Person: felamos
+    Handle: '@_felamos'
+---