Detectionmediumtest
Potential DLL Sideloading Of MsCorSvc.DLL
Detects potential DLL sideloading of "mscorsvc.dll".
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic2 selectors
detection:
selection:
ImageLoaded|endswith: '\mscorsvc.dll'
filter_main_generic:
ImageLoaded|startswith:
- 'C:\Windows\Microsoft.NET\Framework\'
- 'C:\Windows\Microsoft.NET\Framework64\'
- 'C:\Windows\Microsoft.NET\FrameworkArm\'
- 'C:\Windows\Microsoft.NET\FrameworkArm64\'
- 'C:\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*False Positives
Legitimate applications loading their own versions of the DLL mentioned in this rule.
References
MITRE ATT&CK
Rule Metadata
Rule ID
cdb15e19-c2d0-432a-928e-e49c8c60dcf2
Status
test
Level
medium
Type
Detection
Created
Thu Jul 11
Modified
Wed Feb 26
Author
Path
rules/windows/image_load/image_load_side_load_mscorsvc.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.defense-evasionattack.t1574.001