Potential DLL Sideloading Using Coregen.exe
Detect usage of DLL "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.
Sigma rule (View on GitHub)
1title: Potential DLL Sideloading Using Coregen.exe
2id: 0fa66f66-e3f6-4a9c-93f8-4f2610b00171
3status: experimental
4description: Detect usage of DLL "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.
5references:
6 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/
7author: frack113
8date: 2022/12/31
9tags:
10 - attack.defense_evasion
11 - attack.t1218
12 - attack.t1055
13logsource:
14 category: image_load
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\coregen.exe'
19 filter:
20 ImageLoaded|startswith:
21 - 'C:\Windows\System32\'
22 - 'C:\Windows\SysWOW64\'
23 - 'C:\Program Files\Microsoft Silverlight\'
24 - 'C:\Program Files (x86)\Microsoft Silverlight\'
25 condition: selection and not filter
26falsepositives:
27 - Unknown
28level: medium