EXPLORE
Sign In
← Back to Explore
sigmahighHunting

DotNet CLR DLL Loaded By Scripting Applications

Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.

MITRE ATT&CK

T1055
defense-evasionexecutionprivilege-escalation

Detection Query

selection:
  Image|endswith:
    - \cmstp.exe
    - \cscript.exe
    - \mshta.exe
    - \msxsl.exe
    - \regsvr32.exe
    - \wmic.exe
    - \wscript.exe
  ImageLoaded|endswith:
    - \clr.dll
    - \mscoree.dll
    - \mscorlib.dll
condition: selection

Author

omkar72, oscd.community

Created

2020-10-14

Data Sources

windowsImage Load Events

Platforms

windows

References

Tags

attack.defense-evasionattack.executionattack.privilege-escalationattack.t1055
Raw Content
title: DotNet CLR DLL Loaded By Scripting Applications
id: 4508a70e-97ef-4300-b62b-ff27992990ea
status: test
description: Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.
references:
    - https://github.com/tyranid/DotNetToJScript
    - https://thewover.github.io/Introducing-Donut/
    - https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
    - https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008
author: omkar72, oscd.community
date: 2020-10-14
modified: 2023-02-23
tags:
    - attack.defense-evasion
    - attack.execution
    - attack.privilege-escalation
    - attack.t1055
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmstp.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\msxsl.exe'
            - '\regsvr32.exe'
            # - '\svchost.exe'
            - '\wmic.exe'
            - '\wscript.exe'
        ImageLoaded|endswith:
            - '\clr.dll'
            - '\mscoree.dll'
            - '\mscorlib.dll'
    condition: selection
falsepositives:
    - Unknown
level: high