public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-12-25 22:39:27 +01:00
Code Issues Projects Releases Wiki Activity

Added dotnet msbuild awl bypass technique

Browse Source
This commit is contained in:
bohops 2020-07-03 14:56:06 -04:00 committed by GitHub
parent a976eaefe1
commit 92f020b885
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
yml/OtherMSBinaries/Dotnet.yml
View File

@ -19,13 +19,24 @@ Commands:
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 7 and up with .NET installed
- Command: dotnet.exe msbuild [Path_TO_XML_CSPROJ]
Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10 with .NET Core installed
Full_Path:
- Path: 'C:\Program Files\dotnet\dotnet.exe'
Detection:
- IOC: dotnet.exe spawned an unknown process
Resources:
- Link: https://twitter.com/_felamos/status/1204705548668555264
- Link: https://gist.github.com/bohops/3f645a7238d8022830ecf5511b3ecfbc
- Link: https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
Acknowledgement:
- Person: felamos
Handle: '@_felamos'
- Person: Jimmy
Handle: '@bohops'
---