🪟 LOLBAS / Fsi.exe

Fsi.exe

64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK.

Paths

  • C:\Program Files\dotnet\sdk\<version>\FSharp\fsi.exe
  • C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\CommonExtensions\Microsoft\FSharp\fsi.exe

Commands

AWL Bypass

Execute F# code via script file

Use case: Execute payload with Microsoft signed binary to bypass WDAC policies

Privileges: User

fsi.exe {PATH:.fsscript}

AWL Bypass

Execute F# code via interactive command line

Use case: Execute payload with Microsoft signed binary to bypass WDAC policies

Privileges: User

fsi.exe

Detection

Resources