Potential DLL Sideloading Using Coregen.exe

Nov 2, 2023 · attack.defense_evasion attack.t1218 attack.t1055 ·

Detect usage of DLL "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.

Sigma rule (View on GitHub)

 1title: Potential DLL Sideloading Using Coregen.exe
 2id: 0fa66f66-e3f6-4a9c-93f8-4f2610b00171
 3status: test
 4description: Detect usage of DLL "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.
 5references:
 6    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/
 7author: frack113
 8date: 2022/12/31
 9tags:
10    - attack.defense_evasion
11    - attack.t1218
12    - attack.t1055
13logsource:
14    category: image_load
15    product: windows
16detection:
17    selection:
18        Image|endswith: '\coregen.exe'
19    filter:
20        ImageLoaded|startswith:
21            - 'C:\Windows\System32\'
22            - 'C:\Windows\SysWOW64\'
23            - 'C:\Program Files\Microsoft Silverlight\'
24            - 'C:\Program Files (x86)\Microsoft Silverlight\'
25    condition: selection and not filter
26falsepositives:
27    - Unknown
28level: medium

References

Coregen | LOLBAS

Execute: DLL This LOLBAS executes Dynamic-Link Libraries (DLLs).

Read More

Potential DLL Sideloading Using Coregen.exe

Sigma rule (View on GitHub)

References

Coregen | LOLBAS

Related rules