diff --git a/yml/OtherMSBinaries/Dotnet.yml b/yml/OtherMSBinaries/Dotnet.yml index b202817..1ad14b0 100644 --- a/yml/OtherMSBinaries/Dotnet.yml +++ b/yml/OtherMSBinaries/Dotnet.yml @@ -18,13 +18,20 @@ Commands: Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with .NET installed + - Command: dotnet.exe fsi + Description: dotnet.exe will open a console which allows for the execution of arbitrary F# commands + Usecase: Execute arbitrary F# code + Category: Execute + Privileges: User + MitreID: T1059 + OperatingSystem: Windows 10 and up with .NET SDK installed - Command: dotnet.exe msbuild [Path_TO_XML_CSPROJ] Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code Usecase: Execute code bypassing AWL Category: AWL Bypass Privileges: User MitreID: T1218 - OperatingSystem: Windows 10 with .NET Core installed + OperatingSystem: Windows 10 and up with .NET Core installed Full_Path: - Path: 'C:\Program Files\dotnet\dotnet.exe' Detection: @@ -35,8 +42,11 @@ Resources: - Link: https://twitter.com/_felamos/status/1204705548668555264 - Link: https://gist.github.com/bohops/3f645a7238d8022830ecf5511b3ecfbc - Link: https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/ + - Link: https://learn.microsoft.com/en-us/dotnet/fsharp/tools/fsharp-interactive/ Acknowledgement: - Person: felamos Handle: '@_felamos' - Person: Jimmy Handle: '@bohops' + - Person: yamalon + Handle: '@mavinject'