The hypothesis is that the use of Coregen.exe to load DLLs from non-standard locations indicates potential DLL sideloading by an adversary attempting to execute malicious code. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage process injection techniques to evade detection.
Detection Rule
title: Potential DLL Sideloading Using Coregen.exe
id: 0fa66f66-e3f6-4a9c-93f8-4f2610b00171
status: test
description: Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/
author: frack113
date: 2022-12-31
tags:
- attack.privilege-escalation
- attack.defense-evasion
- attack.t1218
- attack.t1055
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\coregen.exe'
filter_main_legit_paths:
ImageLoaded|startswith:
- 'C:\Program Files (x86)\Microsoft Silverlight\'
- 'C:\Program Files\Microsoft Silverlight\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
DeviceImageLoadEvents
| where InitiatingProcessFolderPath endswith "\\coregen.exe" and (not((FolderPath startswith "C:\\Program Files (x86)\\Microsoft Silverlight\\" or FolderPath startswith "C:\\Program Files\\Microsoft Silverlight\\" or FolderPath startswith "C:\\Windows\\System32\\" or FolderPath startswith "C:\\Windows\\SysWOW64\\")))Scenario: Coregen.exe used by legitimate system maintenance tool
Description: A system maintenance tool (e.g., Microsoft’s System File Checker or third-party disk cleanup utilities) may invoke coregen.exe as part of its operations.
Filter/Exclusion: Check the command line arguments for known legitimate tools or use a process tree filter to exclude child processes spawned by trusted system utilities.
Scenario: Scheduled job for software deployment
Description: A scheduled task may use coregen.exe to deploy or update software, especially in environments where custom deployment scripts are common.
Filter/Exclusion: Exclude processes initiated by the Task Scheduler with known deployment task names or filter by the user account used for scheduled tasks.
Scenario: Coregen.exe used by an admin for custom build or configuration
Description: An administrator may use coregen.exe as part of a custom build or configuration process, such as generating configuration files or scripts.
Filter/Exclusion: Filter by the user account (e.g., Administrator) and check for known build directories or script execution paths.
Scenario: Coregen.exe used by a legitimate third-party application
Description: Some third-party applications (e.g., certain development or testing tools) may include coregen.exe as part of their runtime or utility components.
Filter/Exclusion: Exclude processes originating from known trusted vendors or directories associated with those applications.
Scenario: Coregen.exe used in a script for automation
Description: A script (e.g., PowerShell or batch) may call coregen.exe as part of an automation workflow, such as generating temporary files or configuration data.
Filter/Exclusion: Filter by script execution paths or use a process parent filter to exclude scripts run from trusted locations (e.g., C:\Windows\System32).