execute .NET assembly

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: execute .NET assembly
    namespace: load-code/dotnet
    authors:
      - anushka.virgaonkar@mandiant.com
    scopes:
      static: function
      dynamic: call
    att&ck:
      - Defense Evasion::Reflective Code Loading [T1620]
  features:
    - or:
      - api: System.AppDomain::ExecuteAssembly
      - api: System.AppDomain::ExecuteAssemblyByName

last edited: 2023-11-24 10:34:28