Adversaries may be using DLL sideloading to inject malicious code into legitimate processes by replacing or loading a compromised MsCorSvc.DLL. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential code execution attacks that evade traditional detection methods.
Detection Rule
title: Potential DLL Sideloading Of MsCorSvc.DLL
id: cdb15e19-c2d0-432a-928e-e49c8c60dcf2
status: test
description: Detects potential DLL sideloading of "mscorsvc.dll".
references:
- https://hijacklibs.net/entries/microsoft/built-in/mscorsvc.html
author: Wietze Beukema
date: 2024-07-11
modified: 2025-02-26
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.t1574.001
logsource:
product: windows
category: image_load
detection:
selection:
ImageLoaded|endswith: '\mscorsvc.dll'
filter_main_generic:
ImageLoaded|startswith:
- 'C:\Windows\Microsoft.NET\Framework\'
- 'C:\Windows\Microsoft.NET\Framework64\'
- 'C:\Windows\Microsoft.NET\FrameworkArm\'
- 'C:\Windows\Microsoft.NET\FrameworkArm64\'
- 'C:\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate applications loading their own versions of the DLL mentioned in this rule.
level: medium
DeviceImageLoadEvents
| where FolderPath endswith "\\mscorsvc.dll" and (not((FolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework\\" or FolderPath startswith "C:\\Windows\\Microsoft.NET\\Framework64\\" or FolderPath startswith "C:\\Windows\\Microsoft.NET\\FrameworkArm\\" or FolderPath startswith "C:\\Windows\\Microsoft.NET\\FrameworkArm64\\" or FolderPath startswith "C:\\Windows\\WinSxS\\")))Scenario: Microsoft .NET Framework Installation
Description: Legitimate installation of the .NET Framework may involve copying MsCorSvc.dll to system directories.
Filter/Exclusion: Check the file’s hash against known Microsoft hashes or verify the source path (e.g., C:\Windows\Microsoft.NET\Framework\v4.0.30319\).
Scenario: Scheduled Task for Application Deployment
Description: A scheduled task may copy MsCorSvc.dll to a temporary directory as part of a deployment or update process.
Filter/Exclusion: Filter by the task name or source path (e.g., C:\Windows\Temp\ or C:\inetpub\).
Scenario: System File Integrity Check (SFIC) Tool Usage
Description: Tools like sfc /scannow or DISM may temporarily place MsCorSvc.dll in system directories during repair operations.
Filter/Exclusion: Exclude events where the file is located in C:\Windows\Temp\ or where the process is svchost.exe or SystemSettingsBroker.exe.
Scenario: Admin Task for Custom DLL Replacement
Description: An administrator may manually replace MsCorSvc.dll with a custom version for testing or compatibility.
Filter/Exclusion: Exclude events where the file is modified by a known admin tool (e.g., regsvr32.exe, dllhost.exe) or where the user is a domain admin.
Scenario: Antivirus or Endpoint Protection Scan
Description: Some security tools may extract or temporarily place MsCorSvc.dll in system directories during a scan.
Filter/Exclusion: Exclude events where the process is a known antivirus tool (e.g., MsMpEng.exe, `