DotNet CLR DLL Loaded By Scripting Applications

calendar Oct 23, 2025 · attack.defense-evasion attack.execution attack.privilege-escalation attack.t1055  ·
Share on: linkedin copy

Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.

Sigma rule (View on GitHub)

 1title: DotNet CLR DLL Loaded By Scripting Applications
 2id: 4508a70e-97ef-4300-b62b-ff27992990ea
 3status: test
 4description: Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.
 5references:
 6    - https://github.com/tyranid/DotNetToJScript
 7    - https://thewover.github.io/Introducing-Donut/
 8    - https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
 9    - https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008
10author: omkar72, oscd.community
11date: 2020-10-14
12modified: 2023-02-23
13tags:
14    - attack.defense-evasion
15    - attack.execution
16    - attack.privilege-escalation
17    - attack.t1055
18logsource:
19    category: image_load
20    product: windows
21detection:
22    selection:
23        Image|endswith:
24            - '\cmstp.exe'
25            - '\cscript.exe'
26            - '\mshta.exe'
27            - '\msxsl.exe'
28            - '\regsvr32.exe'
29            # - '\svchost.exe'
30            - '\wmic.exe'
31            - '\wscript.exe'
32        ImageLoaded|endswith:
33            - '\clr.dll'
34            - '\mscoree.dll'
35            - '\mscorlib.dll'
36    condition: selection
37falsepositives:
38    - Unknown
39level: high

References

Related rules

to-top