Added fsi to dotnet.exe (#281)

Co-authored-by: Wietze <wietze@users.noreply.github.com>
2025-11-04 02:29:34 +01:00 · 2023-02-25 22:10:45 +02:00
parent 74d010a893
commit 8283b4b7e3
1 changed files with 11 additions and 1 deletions
--- a/yml/OtherMSBinaries/Dotnet.yml
+++ b/yml/OtherMSBinaries/Dotnet.yml
@@ -18,13 +18,20 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 7 and up with .NET installed
+  - Command: dotnet.exe fsi
+    Description: dotnet.exe will open a console which allows for the execution of arbitrary F# commands
+    Usecase: Execute arbitrary F# code
+    Category: Execute
+    Privileges: User
+    MitreID: T1059
+    OperatingSystem: Windows 10 and up with .NET SDK installed
  - Command: dotnet.exe msbuild [Path_TO_XML_CSPROJ]
    Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code
    Usecase: Execute code bypassing AWL
    Category: AWL Bypass
    Privileges: User
    MitreID: T1218
-    OperatingSystem: Windows 10 with .NET Core installed
+    OperatingSystem: Windows 10 and up with .NET Core installed
 Full_Path:
  - Path: 'C:\Program Files\dotnet\dotnet.exe'
 Detection:
@@ -35,8 +42,11 @@ Resources:
  - Link: https://twitter.com/_felamos/status/1204705548668555264
  - Link: https://gist.github.com/bohops/3f645a7238d8022830ecf5511b3ecfbc
  - Link: https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
+  - Link: https://learn.microsoft.com/en-us/dotnet/fsharp/tools/fsharp-interactive/
 Acknowledgement:
  - Person: felamos
    Handle: '@_felamos'
  - Person: Jimmy
    Handle: '@bohops'
+  - Person: yamalon
+    Handle: '@mavinject'