Potential DLL Sideloading Of MsCorSvc.DLL
Detects potential DLL sideloading of "mscorsvc.dll".
Sigma rule (View on GitHub)
1title: Potential DLL Sideloading Of MsCorSvc.DLL
2id: cdb15e19-c2d0-432a-928e-e49c8c60dcf2
3status: test
4description: Detects potential DLL sideloading of "mscorsvc.dll".
5references:
6 - https://hijacklibs.net/entries/microsoft/built-in/mscorsvc.html
7author: Wietze Beukema
8date: 2024-07-11
9modified: 2025-02-26
10tags:
11 - attack.defense-evasion
12 - attack.t1574.001
13logsource:
14 product: windows
15 category: image_load
16detection:
17 selection:
18 ImageLoaded|endswith: '\mscorsvc.dll'
19 filter_main_generic:
20 ImageLoaded|startswith:
21 - 'C:\Windows\Microsoft.NET\Framework\'
22 - 'C:\Windows\Microsoft.NET\Framework64\'
23 - 'C:\Windows\Microsoft.NET\FrameworkArm\'
24 - 'C:\Windows\Microsoft.NET\FrameworkArm64\'
25 - 'C:\Windows\WinSxS\'
26 condition: selection and not 1 of filter_main_*
27falsepositives:
28 - Legitimate applications loading their own versions of the DLL mentioned in this rule.
29level: medium
References
-
Check out the entry for mscorsvc.dll on HijackLibs - it is loaded by applications vulnerable to DLL Hijacking!
Read More
Related rules
- Potential System DLL Sideloading From Non System Locations
- Potential DLL Sideloading Of DbgModel.DLL
- Potential DLL Sideloading Of MpSvc.DLL
- Potential Raspberry Robin Aclui Dll SideLoading
- APT27 - Emissary Panda Activity