SigmaHQ/rules/windows/process_creation/win_susp_dnx.yml

title: Application Whitelisting Bypass via Dnx.exe
id: 81ebd28b-9607-4478-bf06-974ed9d53ed7
status: experimental
description: Execute C# code located in the consoleapp folder
references:
    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml
    - https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
author: Beyu Denis, oscd.community
date: 2019/10/26
modified: 2019/11/04
tags:
    - attack.defense_evasion
    - attack.execution
    - attack.t1218
level: medium
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\dnx.exe'
    condition: selection
falsepositives:
    - Legitimate use of dnx.exe by legitimate user
fix: fixed casing and long rule titles 2020-01-30 16:26:09 +00:00			`title: Application Whitelisting Bypass via Dnx.exe`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 81ebd28b-9607-4478-bf06-974ed9d53ed7`
add win_susp_dnx.yml 2019-10-26 17:58:45 +00:00			`status: experimental`
modified win_susp_dnx.yml 2019-10-26 18:20:21 +00:00			`description: Execute C# code located in the consoleapp folder`
add win_susp_dnx.yml 2019-10-26 17:58:45 +00:00			`references:`
			`- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml`
			`- https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/`
Update win_susp_dnx.yml 2019-11-04 15:34:25 +00:00			`author: Beyu Denis, oscd.community`
add win_susp_dnx.yml 2019-10-26 17:58:45 +00:00			`date: 2019/10/26`
Update win_susp_dnx.yml 2019-11-04 15:34:25 +00:00			`modified: 2019/11/04`
			`tags:`
			`- attack.defense_evasion`
			`- attack.execution`
			`- attack.t1218`
add win_susp_dnx.yml 2019-10-26 17:58:45 +00:00			`level: medium`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
Update win_susp_dnx.yml 2019-11-04 15:34:25 +00:00			`selection:`
add modifiers 2019-11-07 22:34:30 +00:00			`Image\|endswith: '\dnx.exe'`
Update win_susp_dnx.yml 2019-11-04 15:34:25 +00:00			`condition: selection`
add win_susp_dnx.yml 2019-10-26 17:58:45 +00:00			`falsepositives:`
Update win_susp_dnx.yml 2019-11-04 15:34:25 +00:00			`- Legitimate use of dnx.exe by legitimate user`