← Library
sigmaDRL-1.1from SigmaHQ/sigma

Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE

Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE.

Quality
74
FP risk
Forks
0
Views
0
ATT&CK techniques
T1218
Rule sourcerules/windows/process_creation/proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml
title: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3
status: test
description: Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE.
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/
    - https://twitter.com/_felamos/status/1204705548668555264
    - https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
author: Beyu Denis, oscd.community
date: 2020-10-18
modified: 2025-10-08
tags:
    - attack.defense-evasion
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\dotnet.exe'
        - OriginalFileName: '.NET Host'
    selection_cli:
        CommandLine|endswith:
            - '.csproj'
            - '.csproj"'
            - '.dll'
            - '.dll"'
            - ".csproj'"
            - ".dll'"
    filter_optional_notepadplus_plus:
        ParentImage:
            - 'C:\Program Files (x86)\Notepad++\notepad++.exe'
            - 'C:\Program Files\Notepad++\notepad++.exe'
        CommandLine|contains|all:
            - 'C:\ProgramData\CSScriptNpp\'
            - '-cscs_path:'
            - '\cs-script\cscs.dll'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate administrator usage
level: medium