Potential DLL Sideloading Using Coregen.exe
Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.
Sigma rule (View on GitHub)
1title: Potential DLL Sideloading Using Coregen.exe
2id: 0fa66f66-e3f6-4a9c-93f8-4f2610b00171
3status: test
4description: Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.
5references:
6 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/
7author: frack113
8date: 2022-12-31
9tags:
10 - attack.defense-evasion
11 - attack.t1218
12 - attack.t1055
13logsource:
14 category: image_load
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\coregen.exe'
19 filter_main_legit_paths:
20 ImageLoaded|startswith:
21 - 'C:\Program Files (x86)\Microsoft Silverlight\'
22 - 'C:\Program Files\Microsoft Silverlight\'
23 - 'C:\Windows\System32\'
24 - 'C:\Windows\SysWOW64\'
25 condition: selection and not 1 of filter_main_*
26falsepositives:
27 - Unknown
28level: medium
References
-
coregen.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- Created Files by Microsoft Sync Center
- Microsoft Sync Center Suspicious Network Connections
- COM Object Execution via Xwizard.EXE
- New Capture Session Launched Via DXCap.EXE
- Program Executed Using Proxy/Local Command Via SSH.EXE