Potential DLL Sideloading Of MsCorSvc.DLL
Detects potential DLL sideloading of "mscorsvc.dll".
Sigma rule (View on GitHub)
1title: Potential DLL Sideloading Of MsCorSvc.DLL
2id: cdb15e19-c2d0-432a-928e-e49c8c60dcf2
3status: test
4description: Detects potential DLL sideloading of "mscorsvc.dll".
5references:
6 - https://hijacklibs.net/entries/microsoft/built-in/mscorsvc.html
7author: Wietze Beukema
8date: 2024-07-11
9modified: 2025-02-26
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.defense-evasion
14 - attack.t1574.001
15logsource:
16 product: windows
17 category: image_load
18detection:
19 selection:
20 ImageLoaded|endswith: '\mscorsvc.dll'
21 filter_main_generic:
22 ImageLoaded|startswith:
23 - 'C:\Windows\Microsoft.NET\Framework\'
24 - 'C:\Windows\Microsoft.NET\Framework64\'
25 - 'C:\Windows\Microsoft.NET\FrameworkArm\'
26 - 'C:\Windows\Microsoft.NET\FrameworkArm64\'
27 - 'C:\Windows\WinSxS\'
28 condition: selection and not 1 of filter_main_*
29falsepositives:
30 - Legitimate applications loading their own versions of the DLL mentioned in this rule.
31level: medium
References
-
Check out the entry for mscorsvc.dll on HijackLibs - it is loaded by applications vulnerable to DLL Hijacking!
Read More
Related rules
- APT27 - Emissary Panda Activity
- Aruba Network Service Potential DLL Sideloading
- Creation of WerFault.exe/Wer.dll in Unusual Folder
- DHCP Callout DLL Installation
- DHCP Server Error Failed Loading the CallOut DLL