LoFP / legitimate usage of the utility in order to debug and trace a program.

Techniques

• t1218

Sample rules

Binary Proxy Execution Via Dotnet-Trace.EXE

• source: sigma
• technicques:
  • t1218

Description

Detects commandline arguments for executing a child process via dotnet-trace.exe

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains|all:
  - '-- '
  - collect
selection_img:
- Image|endswith: \dotnet-trace.exe
- OriginalFileName: dotnet-trace.dll