From 22d9bbe92a6c6f4ed65890844120cdc69ea1e0fd Mon Sep 17 00:00:00 2001 From: Martin Date: Fri, 9 Oct 2020 17:10:49 +0200 Subject: [PATCH 1/2] Initial commit of Coregen.yml --- yml/OtherMSBinaries/Coregen.yml | 52 +++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 yml/OtherMSBinaries/Coregen.yml diff --git a/yml/OtherMSBinaries/Coregen.yml b/yml/OtherMSBinaries/Coregen.yml new file mode 100644 index 0000000..2f29394 --- /dev/null +++ b/yml/OtherMSBinaries/Coregen.yml @@ -0,0 +1,52 @@ +--- +Name: coregen.exe +Description: Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads exported function GetCLRRuntimeHost from coreclr.dll or from .DLL in arbitrary path. Coregin is located within "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" or another version of Silverlight. Coregen is signed by Microsoft and bundled with Microsoft Silverlight. +Author: Martin Sohn Christensen +Created: 2020-10-09 +Commands: + - Command: coregon.exe.exe /L C:\folder\evil.dll dummy_assembly_name + Description: Loads the target .DLL in arbitrary path specified with /L. + Usecase: Execute DLL code + Category: Execute + Privileges: User + MitreID: T1055 + MitreLink: https://attack.mitre.org/wiki/Technique/T1055 + OperatingSystem: Windows + - Command: coregen.exe dummy_assembly_name + Description: Loads the coreclr.dll in the corgen.exe directory (e.g. C:\Program Files\Microsoft Silverlight\5.1.50918.0). + Usecase: Execute DLL code + Category: Execute + Privileges: User + MitreID: T1055 + MitreLink: https://attack.mitre.org/wiki/Technique/T1055 + OperatingSystem: Windows + - Command: coregen.exe /L C:\folder\evil.dll dummy_assembly_name + Description: Loads the target .DLL in arbitrary path specified with /L. Since binary is signed it can also be used to bypass application whitelisting solutions. + Usecase: Execute DLL code + Category: AWL Bypass + Privileges: User + MitreID: T1218 + MitreLink: https://attack.mitre.org/wiki/Technique/T1218 + OperatingSystem: Windows +Full_Path: + - Path: C:\Program Files\Microsoft Silverlight\5.1.50918.0\coregen.exe + - Path: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe +Code_Sample: + - Code: +Detection: + - IOC: coregen.exe loading .dll file not in "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" + - IOC: coregen.exe loading .dll file not named coreclr.dll + - IOC: coregen.exe command line containing -L or -l + - IOC: coregen.exe command line containing unexpected/invald assembly name + - IOC: coregen.exe application crash by invalid assembly name +Resources: + - Link: https://www.youtube.com/watch?v=75XImxOOInU + - Link: https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html +Acknowledgement: + - Person: Nicky Tyrer + Handle: + - Person: Evan Pena + Handle: + - Person: Casey Erikson + Handle: +--- \ No newline at end of file From 47c03c97b89376da0094c4c585aace0522e8a257 Mon Sep 17 00:00:00 2001 From: Martin Date: Sat, 10 Oct 2020 19:54:50 +0000 Subject: [PATCH 2/2] Typo --- yml/OtherMSBinaries/Coregen.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OtherMSBinaries/Coregen.yml b/yml/OtherMSBinaries/Coregen.yml index 2f29394..91324cb 100644 --- a/yml/OtherMSBinaries/Coregen.yml +++ b/yml/OtherMSBinaries/Coregen.yml @@ -1,6 +1,6 @@ --- Name: coregen.exe -Description: Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads exported function GetCLRRuntimeHost from coreclr.dll or from .DLL in arbitrary path. Coregin is located within "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" or another version of Silverlight. Coregen is signed by Microsoft and bundled with Microsoft Silverlight. +Description: Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads exported function GetCLRRuntimeHost from coreclr.dll or from .DLL in arbitrary path. Coregen is located within "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" or another version of Silverlight. Coregen is signed by Microsoft and bundled with Microsoft Silverlight. Author: Martin Sohn Christensen Created: 2020-10-09 Commands: @@ -49,4 +49,4 @@ Acknowledgement: Handle: - Person: Casey Erikson Handle: ---- \ No newline at end of file +---