2020-10-09 17:10:49 +02:00
---
Name : coregen.exe
2020-10-10 21:54:50 +02:00
Description : Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads exported function GetCLRRuntimeHost from coreclr.dll or from .DLL in arbitrary path. Coregen is located within "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" or another version of Silverlight. Coregen is signed by Microsoft and bundled with Microsoft Silverlight.
2020-10-09 17:10:49 +02:00
Author : Martin Sohn Christensen
Created : 2020-10-09
Commands :
2022-04-26 17:59:14 +02:00
- Command : coregen.exe /L C:\folder\evil.dll dummy_assembly_name
2020-10-09 17:10:49 +02:00
Description : Loads the target .DLL in arbitrary path specified with /L.
Usecase : Execute DLL code
Category : Execute
Privileges : User
MitreID : T1055
OperatingSystem : Windows
- Command : coregen.exe dummy_assembly_name
Description : Loads the coreclr.dll in the corgen.exe directory (e.g. C:\Program Files\Microsoft Silverlight\5.1.50918.0).
Usecase : Execute DLL code
Category : Execute
Privileges : User
MitreID : T1055
OperatingSystem : Windows
- Command : coregen.exe /L C:\folder\evil.dll dummy_assembly_name
Description : Loads the target .DLL in arbitrary path specified with /L. Since binary is signed it can also be used to bypass application whitelisting solutions.
Usecase : Execute DLL code
Category : AWL Bypass
Privileges : User
MitreID : T1218
OperatingSystem : Windows
Full_Path :
- Path : C:\Program Files\Microsoft Silverlight\5.1.50918.0\coregen.exe
- Path : C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe
2021-11-05 19:58:26 +01:00
Code_Sample :
- Code :
2020-10-09 17:10:49 +02:00
Detection :
2023-06-10 08:12:12 +02:00
- Sigma : https://github.com/SigmaHQ/sigma/blob/b02e3b698afbaae143ac4fb36236eb0b41122ed7/rules/windows/image_load/image_load_side_load_coregen.yml
2020-10-09 17:10:49 +02:00
- IOC : coregen.exe loading .dll file not in "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\"
- IOC : coregen.exe loading .dll file not named coreclr.dll
- IOC : coregen.exe command line containing -L or -l
- IOC : coregen.exe command line containing unexpected/invald assembly name
- IOC : coregen.exe application crash by invalid assembly name
Resources :
- Link : https://www.youtube.com/watch?v=75XImxOOInU
- Link : https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
Acknowledgement :
- Person : Nicky Tyrer
2021-11-05 19:58:26 +01:00
Handle :
2020-10-09 17:10:49 +02:00
- Person : Evan Pena
2021-11-05 19:58:26 +01:00
Handle :
2020-10-09 17:10:49 +02:00
- Person : Casey Erikson
2021-11-05 19:58:26 +01:00
Handle :