DotNet CLR DLL Loaded By Scripting Applications
Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.
Sigma rule (View on GitHub)
1title: DotNet CLR DLL Loaded By Scripting Applications
2id: 4508a70e-97ef-4300-b62b-ff27992990ea
3status: test
4description: Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.
5references:
6 - https://github.com/tyranid/DotNetToJScript
7 - https://thewover.github.io/Introducing-Donut/
8 - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
9 - https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008
10author: omkar72, oscd.community
11date: 2020/10/14
12modified: 2023/02/23
13tags:
14 - attack.execution
15 - attack.privilege_escalation
16 - attack.t1055
17logsource:
18 category: image_load
19 product: windows
20detection:
21 selection:
22 Image|endswith:
23 - '\cmstp.exe'
24 - '\cscript.exe'
25 - '\mshta.exe'
26 - '\msxsl.exe'
27 - '\regsvr32.exe'
28 # - '\svchost.exe'
29 - '\wmic.exe'
30 - '\wscript.exe'
31 ImageLoaded|endswith:
32 - '\clr.dll'
33 - '\mscoree.dll'
34 - '\mscorlib.dll'
35 condition: selection
36falsepositives:
37 - Unknown
38level: high
References
-
A tool to create a JScript file which loads a .NET v2 assembly from memory. - tyranid/DotNetToJScript
Read More -
TLDR: You can now inject .NET Assemblies into Windows processes using this repo: https://github.com/TheWover/donut/
Read More -
Table Top With Teeth - Training Exercise . GitHub Gist: instantly share code, notes, and snippets.
Read More
Related rules
- Azure Kubernetes CronJob
- OMIGOD HTTP No Authentication RCE
- Suspect Svchost Activity
- Audit CVE Event
- Created Files by Microsoft Sync Center