Dotnet.exe

dotnet.exe comes with .NET Framework

Paths

• C:\Program Files\dotnet\dotnet.exe

Commands

AWL Bypass

dotnet.exe will execute any DLL even if applocker is enabled.

Use case: Execute code bypassing AWL

Privileges: User

dotnet.exe {PATH:.dll}

Execute

dotnet.exe will execute any DLL.

Use case: Execute DLL

Privileges: User

dotnet.exe {PATH:.dll}

Execute

dotnet.exe will open a console which allows for the execution of arbitrary F# commands

Use case: Execute arbitrary F# code

Privileges: User

dotnet.exe fsi

AWL Bypass

dotnet.exe with msbuild (SDK Version) will execute unsigned code

Use case: Execute code bypassing AWL

Privileges: User

dotnet.exe msbuild {PATH:.csproj}

Detection

• Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_dotnet.yml
• BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
• IOC: dotnet.exe spawned an unknown process

Resources

• https://twitter.com/_felamos/status/1204705548668555264
• https://gist.github.com/bohops/3f645a7238d8022830ecf5511b3ecfbc
• https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
• https://learn.microsoft.com/en-us/dotnet/fsharp/tools/fsharp-interactive/