.. / coregen.exe
Star

Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads exported function GetCLRRuntimeHost from coreclr.dll or from .DLL in arbitrary path. Coregen is located within “C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0" or another version of Silverlight. Coregen is signed by Microsoft and bundled with Microsoft Silverlight.


Paths:


Resources:
https://www.youtube.com/watch?v=75XImxOOInU
https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html

Acknowledgement:
Nicky Tyrer -
Evan Pena -
Casey Erikson -


Detection:
coregen.exe loading .dll file not in "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\"
coregen.exe loading .dll file not named coreclr.dll
coregen.exe command line containing -L or -l
coregen.exe command line containing unexpected/invald assembly name
coregen.exe application crash by invalid assembly name



Execute

Loads the target .DLL in arbitrary path specified with /L.
coregon.exe.exe /L C:\folder\evil.dll dummy_assembly_name
Usecase:Execute DLL code
Privileges required:User
OS:Windows
Mitre:T1055



Loads the coreclr.dll in the corgen.exe directory (e.g. C:\Program Files\Microsoft Silverlight\5.1.50918.0).
coregen.exe dummy_assembly_name
Usecase:Execute DLL code
Privileges required:User
OS:Windows
Mitre:T1055



AWL bypass

Loads the target .DLL in arbitrary path specified with /L. Since binary is signed it can also be used to bypass application whitelisting solutions.
coregen.exe /L C:\folder\evil.dll dummy_assembly_name
Usecase:Execute DLL code
Privileges required:User
OS:Windows
Mitre:T1218