The rule "Dotnet.exe Execution" is designed to detect the execution of the dotnet.exe process, which is integral to the .NET Framework and often exploited to bypass security measures due to its trustworthiness and default allowances in Windows security policies like AppLocker. Because dotnet.exe can execute any .dll files without being blocked, it represents a potential attack vector that adversaries leverage for deception (Living Off the Land Binary and Scripts - LOLBAS). This detection rule utilizes Splunk queries to monitor Windows Event Logs, specifically focusing on EventCode 4688, which represents the creation of a process. The rule captures details about the executing user, host, process identifiers, and parent processes, aggregating the information over a time span of one second for more precise analytics. By keeping track of these executions, organizations can identify suspicious or unauthorized activity linked to the execution of .NET binaries. Furthermore, the rule's linkage to the MITRE technique T1218 demonstrates its relevance within threat intelligence frameworks, enhancing situational awareness regarding potential defense evasion tactics associated with legitimate yet potentially harmful system binaries.