Detectionmediumtest

Potential Application Whitelisting Bypass via Dnx.EXE

Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code. Attackers might abuse this in order to bypass application whitelisting.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Beyu Denis, oscd.communityCreated Sat Oct 26Updated Wed Apr 2481ebd28b-9607-4478-bf06-974ed9d53ed7windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Image|endswith: '\dnx.exe'
    condition: selection

False Positives

Legitimate use of dnx.exe by legitimate user

References

Resolving title…

lolbas-project.github.io

Resolving title…

enigma0x3.net

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1218 · System Binary Proxy Execution

Sub-techniques

T1027.004 · Compile After Delivery

Rule Metadata

Rule ID

81ebd28b-9607-4478-bf06-974ed9d53ed7

Status

test

Level

medium

Type

Detection

Created

Sat Oct 26

Modified

Wed Apr 24

Author

Beyu Denis, oscd.community

Path

rules/windows/process_creation/proc_creation_win_dnx_execute_csharp_code.yml

Raw Tags

attack.defense-evasionattack.t1218attack.t1027.004

View on GitHub