Windows DotNet Binary in Non Standard Path

The following analytic detects the execution of native .NET binaries from non-standard directories within the Windows operating system. It leverages Endpoint Detection and Response (EDR) telemetry, comparing process names and original file names against a predefined lookup "is_net_windows_file". This activity is significant because adversaries may move .NET binaries to unconventional paths to evade detection and execute malicious code. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a significant security risk. Also this analytic leverages a sub-search to enhance performance. sub-searches have limitations on the amount of data they can return. Keep this in mind if you have an extensive list of ransomware note file names.