legitimate use of dnx.exe by legitimate user

t1027
t1027.004
t1218
windows
sigma

Techniques

t1027
t1027.004
t1218

Sample rules

Potential Application Whitelisting Bypass via Dnx.EXE

source: sigma
technicques:
- t1027
- t1027.004
- t1218

Description

Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code. Attackers might abuse this in order to bypass application whitelisting.

Detection logic

condition: selection
selection:
  Image|endswith: \dnx.exe