--- Name: Dotnet.exe Description: dotnet.exe comes with .NET Framework Author: 'felamos' Created: 2019-11-12 Commands: - Command: dotnet.exe [PATH_TO_DLL] Description: dotnet.exe will execute any dll even if applocker is enabled. Usecase: Execute code bypassing AWL Category: AWL Bypass Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with .NET installed - Command: dotnet.exe [PATH_TO_DLL] Description: dotnet.exe will execute any DLL. Usecase: Execute DLL Category: Execute Privileges: User MitreID: T1218 OperatingSystem: Windows 7 and up with .NET installed - Command: dotnet.exe fsi Description: dotnet.exe will open a console which allows for the execution of arbitrary F# commands Usecase: Execute arbitrary F# code Category: Execute Privileges: User MitreID: T1059 OperatingSystem: Windows 10 and up with .NET SDK installed - Command: dotnet.exe msbuild [Path_TO_XML_CSPROJ] Description: dotnet.exe with msbuild (SDK Version) will execute unsigned code Usecase: Execute code bypassing AWL Category: AWL Bypass Privileges: User MitreID: T1218 OperatingSystem: Windows 10 and up with .NET Core installed Full_Path: - Path: 'C:\Program Files\dotnet\dotnet.exe' Detection: - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_dotnet.yml - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules - IOC: dotnet.exe spawned an unknown process Resources: - Link: https://twitter.com/_felamos/status/1204705548668555264 - Link: https://gist.github.com/bohops/3f645a7238d8022830ecf5511b3ecfbc - Link: https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/ - Link: https://learn.microsoft.com/en-us/dotnet/fsharp/tools/fsharp-interactive/ Acknowledgement: - Person: felamos Handle: '@_felamos' - Person: Jimmy Handle: '@bohops' - Person: yamalon Handle: '@mavinject'