← Back to Explore
sigmamediumHunting
Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE.
Detection Query
selection_img:
- Image|endswith: \dotnet.exe
- OriginalFileName: .NET Host
selection_cli:
CommandLine|endswith:
- .csproj
- .csproj"
- .dll
- .dll"
- .csproj'
- .dll'
filter_optional_notepadplus_plus:
ParentImage:
- C:\Program Files (x86)\Notepad++\notepad++.exe
- C:\Program Files\Notepad++\notepad++.exe
CommandLine|contains|all:
- C:\ProgramData\CSScriptNpp\
- "-cscs_path:"
- \cs-script\cscs.dll
condition: all of selection_* and not 1 of filter_optional_*
Author
Beyu Denis, oscd.community
Created
2020-10-18
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1218
Raw Content
title: Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3
status: test
description: Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE.
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/
- https://twitter.com/_felamos/status/1204705548668555264
- https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
author: Beyu Denis, oscd.community
date: 2020-10-18
modified: 2025-10-08
tags:
- attack.defense-evasion
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\dotnet.exe'
- OriginalFileName: '.NET Host'
selection_cli:
CommandLine|endswith:
- '.csproj'
- '.csproj"'
- '.dll'
- '.dll"'
- ".csproj'"
- ".dll'"
filter_optional_notepadplus_plus:
ParentImage:
- 'C:\Program Files (x86)\Notepad++\notepad++.exe'
- 'C:\Program Files\Notepad++\notepad++.exe'
CommandLine|contains|all:
- 'C:\ProgramData\CSScriptNpp\'
- '-cscs_path:'
- '\cs-script\cscs.dll'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Legitimate administrator usage
level: medium