detection.wiki

Detection rules › Sigma

DotNet CLR DLL Loaded By Scripting Applications

Severity
high
Author
omkar72, oscd.community
Source
upstream

Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.

MITRE ATT&CK coverage

TacticTechniques
Privilege EscalationT1055 Process Injection
Defense EvasionT1055 Process Injection

Event coverage

ProviderEvent IDTitle
Sysmon7Image loaded

Stages and Predicates

Stage 1: selection

or:
Image|endswith: '\cmstp.exe'
Image|endswith: '\cscript.exe'
Image|endswith: '\mshta.exe'
Image|endswith: '\msxsl.exe'
Image|endswith: '\regsvr32.exe'
Image|endswith: '\wmic.exe'
Image|endswith: '\wscript.exe'
or:
ImageLoaded|endswith: '\clr.dll'
ImageLoaded|endswith: '\mscoree.dll'
ImageLoaded|endswith: '\mscorlib.dll'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imageends_with
  • \cmstp.exe corpus 9 (sigma 9)
  • \cscript.exe corpus 64 (sigma 64)
  • \mshta.exe corpus 57 (sigma 57)
  • \msxsl.exe corpus 7 (sigma 7)
  • \regsvr32.exe corpus 57 (sigma 57)
  • \wmic.exe corpus 37 (sigma 37)
  • \wscript.exe corpus 64 (sigma 64)
ImageLoadedends_with
  • \clr.dll
  • \mscoree.dll corpus 2 (sigma 2)
  • \mscorlib.dll