← Library
sigmaDRL-1.1from SigmaHQ/sigma

DotNet CLR DLL Loaded By Scripting Applications

Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.

Quality
78
FP risk
Forks
0
Views
0
ATT&CK techniques
T1055
Rule sourcerules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml
title: DotNet CLR DLL Loaded By Scripting Applications
id: 4508a70e-97ef-4300-b62b-ff27992990ea
status: test
description: Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.
references:
    - https://github.com/tyranid/DotNetToJScript
    - https://thewover.github.io/Introducing-Donut/
    - https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
    - https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008
author: omkar72, oscd.community
date: 2020-10-14
modified: 2023-02-23
tags:
    - attack.defense-evasion
    - attack.execution
    - attack.privilege-escalation
    - attack.t1055
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmstp.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\msxsl.exe'
            - '\regsvr32.exe'
            # - '\svchost.exe'
            - '\wmic.exe'
            - '\wscript.exe'
        ImageLoaded|endswith:
            - '\clr.dll'
            - '\mscoree.dll'
            - '\mscorlib.dll'
    condition: selection
falsepositives:
    - Unknown
level: high