Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
Payloads that use the DotNet framework may generate suspicious Microsoft DotNet log files.
Attacker's Goals
Run/Inject DotNet code in the context of a signed process.
Investigative actions
- Verify if the actor process is using DotNet in a valid way.
- Check if a new application was recently installed on the host at the time of the alert.
Variations
DotNet log file created by svchost from 'Absolute software Corp' causalitySuspicious DotNet log file created from an injected thread
Suspicious DotNet log file created