heroui logo

Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE

Sigma Rules

View Source
Summary
This detection rule identifies the execution of arbitrary DLL files or unsigned code through .csproj files using the Dotnet.EXE framework on Windows systems. It checks the process creation logs for instances where Dotnet.EXE is invoked, particularly looking into command line inputs that specify .csproj or .dll files. By monitoring these activities, the rule aims to pinpoint potentially malicious actions often associated with defense evasion techniques, where attackers might deploy their own code through legitimate channels. The rule is designed to function when the process creation matches defined conditions, targeting specific command line arguments that relate to project files or dynamic link libraries. Given its output, legitimate administrator activities could trigger false positives since they may also use Dotnet.EXE for valid tasks. Overall, this rule is a precautionary measure against the misuse of .NET execution paths to execute unintended code or payloads.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
Created: 2020-10-18