Techniques
Sample rules
Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- source: sigma
- technicques:
- t1218
Description
Detects execution of arbitrary DLLs or unsigned code via a “.csproj” files via Dotnet.EXE.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|endswith:
- .csproj
- .csproj"
- .dll
- .dll"
- .csproj'
- .dll'
selection_img:
- Image|endswith: \dotnet.exe
- OriginalFileName: .NET Host