DotNet CLR DLL Loaded By Scripting Applications

calendar Aug 12, 2024 · attack.execution attack.privilege-escalation attack.t1055  ·
Share on: linkedin copy

Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.

Sigma rule (View on GitHub)

 1title: DotNet CLR DLL Loaded By Scripting Applications
 2id: 4508a70e-97ef-4300-b62b-ff27992990ea
 3status: test
 4description: Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.
 5references:
 6    - https://github.com/tyranid/DotNetToJScript
 7    - https://thewover.github.io/Introducing-Donut/
 8    - https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
 9    - https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008
10author: omkar72, oscd.community
11date: 2020-10-14
12modified: 2023-02-23
13tags:
14    - attack.execution
15    - attack.privilege-escalation
16    - attack.t1055
17logsource:
18    category: image_load
19    product: windows
20detection:
21    selection:
22        Image|endswith:
23            - '\cmstp.exe'
24            - '\cscript.exe'
25            - '\mshta.exe'
26            - '\msxsl.exe'
27            - '\regsvr32.exe'
28            # - '\svchost.exe'
29            - '\wmic.exe'
30            - '\wscript.exe'
31        ImageLoaded|endswith:
32            - '\clr.dll'
33            - '\mscoree.dll'
34            - '\mscorlib.dll'
35    condition: selection
36falsepositives:
37    - Unknown
38level: high

References

Related rules

to-top