Potential DLL Sideloading Of MsCorSvc.DLL
Detects potential DLL sideloading of "mscorsvc.dll".
Sigma rule (View on GitHub)
1title: Potential DLL Sideloading Of MsCorSvc.DLL
2id: cdb15e19-c2d0-432a-928e-e49c8c60dcf2
3status: experimental
4description: Detects potential DLL sideloading of "mscorsvc.dll".
5references:
6 - https://hijacklibs.net/entries/microsoft/built-in/mscorsvc.html
7author: Wietze Beukema
8date: 2024-07-11
9tags:
10 - attack.defense-evasion
11 - attack.t1574.002
12logsource:
13 product: windows
14 category: image_load
15detection:
16 selection:
17 ImageLoaded|endswith: '\mscorsvc.dll'
18 filter_main_generic:
19 ImageLoaded|startswith:
20 - 'C:\Windows\Microsoft.NET\Framework\'
21 - 'C:\Windows\Microsoft.NET\Framework64\'
22 - 'C:\Windows\WinSxS\'
23 condition: selection and not 1 of filter_main_*
24falsepositives:
25 - Legitimate applications loading their own versions of the DLL mentioned in this rule.
26level: medium
References
-
Check out the entry for mscorsvc.dll on HijackLibs - it is loaded by applications vulnerable to DLL Hijacking!
Read More
Related rules
- APT27 - Emissary Panda Activity
- Creation Of Non-Existent System DLL
- DHCP Callout DLL Installation
- DHCP Server Error Failed Loading the CallOut DLL
- DHCP Server Loaded the CallOut DLL