Detectionmediumtest
Binary Proxy Execution Via Dotnet-Trace.EXE
Detects commandline arguments for executing a child process via dotnet-trace.exe
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection_img:
- Image|endswith: '\dotnet-trace.exe'
- OriginalFileName: 'dotnet-trace.dll'
selection_cli:
CommandLine|contains|all:
- '-- '
- 'collect'
condition: all of selection_*False Positives
Legitimate usage of the utility in order to debug and trace a program.
References
MITRE ATT&CK
Rule Metadata
Rule ID
9257c05b-4a4a-48e5-a670-b7b073cf401b
Status
test
Level
medium
Type
Detection
Created
Tue Jan 02
Author
Path
rules/windows/process_creation/proc_creation_win_dotnet_trace_lolbin_execution.yml
Raw Tags
attack.executionattack.defense-evasionattack.t1218