Techniques
Sample rules
Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- source: sigma
- technicques:
- t1218
Description
Detects execution of arbitrary DLLs or unsigned code via a “.csproj” files via Dotnet.EXE.
Detection logic
condition: all of selection_* and not 1 of filter_optional_*
filter_optional_notepadplus_plus:
CommandLine|contains|all:
- C:\ProgramData\CSScriptNpp\
- '-cscs_path:'
- \cs-script\cscs.dll
ParentImage:
- C:\Program Files (x86)\Notepad++\notepad++.exe
- C:\Program Files\Notepad++\notepad++.exe
selection_cli:
CommandLine|endswith:
- .csproj
- .csproj"
- .dll
- .dll"
- .csproj'
- .dll'
selection_img:
- Image|endswith: \dotnet.exe
- OriginalFileName: .NET Host