From 8283b4b7e354b215f99c7901aff38ed78a49c7a1 Mon Sep 17 00:00:00 2001
From: YamAlon <60539492+YamAlon@users.noreply.github.com>
Date: Sat, 25 Feb 2023 22:10:45 +0200
Subject: [PATCH] Added fsi to dotnet.exe (#281)

Co-authored-by: Wietze <wietze@users.noreply.github.com>
---
 yml/OtherMSBinaries/Dotnet.yml | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/yml/OtherMSBinaries/Dotnet.yml b/yml/OtherMSBinaries/Dotnet.yml
index b202817..1ad14b0 100644
--- a/yml/OtherMSBinaries/Dotnet.yml
+++ b/yml/OtherMSBinaries/Dotnet.yml
@@ -18,13 +18,20 @@ Commands:
     Privileges: User
     MitreID: T1218
     OperatingSystem: Windows 7 and up with .NET installed
+  - Command: dotnet.exe fsi
+    Description: dotnet.exe will open a console which allows for the execution of arbitrary F# commands
+    Usecase: Execute arbitrary F# code
+    Category: Execute
+    Privileges: User
+    MitreID: T1059
+    OperatingSystem: Windows 10 and up with .NET SDK installed
   - Command: dotnet.exe msbuild [Path_TO_XML_CSPROJ]
     Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code
     Usecase: Execute code bypassing AWL
     Category: AWL Bypass
     Privileges: User
     MitreID: T1218
-    OperatingSystem: Windows 10 with .NET Core installed
+    OperatingSystem: Windows 10 and up with .NET Core installed
 Full_Path:
   - Path: 'C:\Program Files\dotnet\dotnet.exe'
 Detection:
@@ -35,8 +42,11 @@ Resources:
   - Link: https://twitter.com/_felamos/status/1204705548668555264
   - Link: https://gist.github.com/bohops/3f645a7238d8022830ecf5511b3ecfbc
   - Link: https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
+  - Link: https://learn.microsoft.com/en-us/dotnet/fsharp/tools/fsharp-interactive/
 Acknowledgement:
   - Person: felamos
     Handle: '@_felamos'
   - Person: Jimmy
     Handle: '@bohops'
+  - Person: yamalon
+    Handle: '@mavinject'